Missing eks get-token

[nilesuan]

Is your feature request related to a problem? Please describe. We store our eks application yaml manifests in an s3 bucket. A lambda is attached with a create/update file trigger to run kubectl on that file.

Describe the solution you'd like If the javascript sdk has the get-token function just like the latest aws cli, then there would be no need to include the iam-auth binary into the lambda. That lowers the function size significantly.

Describe alternatives you've considered What I currently do is have both kubectl and iam-authentication binaries inside that function.

[AllanZhengYP]

Hey @nilesuan,

This seems to me a feature request. Can you specify your use case and describe what API are you expecting? We have a feature request issue template for this kind of issue. You may need to edit your issue following the issue template.

[nilesuan]

Updated

[AllanZhengYP]

@nilesuan

Thank you for bringing this up! I label it as a feature request. We will weigh it along with other feature requests and decide when we are going to deliver this feature.

[StefanNienhuis]

Is this still being worked on? Or is there a workaround? @nilesuan how did you use the binaries to get the auth token?

[JustinPlute]

Hey! Any update on this being supported? For reference, this is the command we'd like to have in parity with the AWS CLI.

[arash-bizcover]

Hi @AllanZhengYP This is not a feature request, this should be part of the SDK already, as it is a regular API and already in the CLI. Shouldn't the SDK and CLI both reflect the API consistently ?

[eledoranda]

Is this still being worked on? Or is there a workaround? @nilesuan how did you use the binaries to get the auth token?

Hi @StefanNienhuis, maybe it's too late for your specific case, but maybe this could help other people.

For a similar use case, I manage to retrieve an EKS token from a Lambda using the aws-iam-authenticator binary uploaded inside the Lambda package.

I wrote all the details in this repo, but I try to sum up the steps:

1. Download the aws-iam-authenticator for Linux
2. Make aws-iam-authenticator executable (chmod +x )
3. Add it to the Lambda package
4. Define a Kubernetes configuration that references the executable aws-iam-authenticator "token" command in the "Users" section (At line 23 of this gist there is an example. To make it work, you should have the proper RBAC K8s role set for the Lambda Role)
5. Use the K8s client for the specific language of the Lambda. ( I think it should work also if you build the kubectl binary inside the Lambda, but I haven't tested it)

[nilesuan]

Is this still being worked on? Or is there a workaround? @nilesuan how did you use the binaries to get the auth token?

Hi @StefanNienhuis as stated in my original post and detailed by @eledoranda, we included the aws-iam-authenticator binaries into the lambda function. But it feels frustratingly tedious as the CLI and API should already support it, thus it should be easy to implement in the SDK.

[TimisRobert]

I wasted waay too much time on this.... enjoy

import { SignatureV4 } from "@aws-sdk/signature-v4";
import { Sha256 } from "@aws-crypto/sha256-js";
import { fromEnv } from "@aws-sdk/credential-providers";

 const signer = new SignatureV4({
    credentials: fromEnv(),
    region: process.env.AWS_REGION ?? "",
    service: "sts",
    sha256: Sha256,
  });

  const request = await signer.presign(
    {
      headers: {
        host: `sts.${process.env.AWS_REGION}.amazonaws.com`,
        "x-k8s-aws-id": "<cluster-id>",
      },
      hostname: `sts.${process.env.AWS_REGION}.amazonaws.com`,
      method: "GET",
      path: "/",
      protocol: "https:",
      query: {
        Action: "GetCallerIdentity",
        Version: "2011-06-15",
      },
    },
    { expiresIn: 0 }
  );

  const query = Object.keys(request?.query ?? {})
    .map(
      (q) =>
        encodeURIComponent(q) +
        "=" +
        encodeURIComponent(request.query?.[q] as string)
    )
    .join("&");

  const url = `https://${request.hostname}${request.path}?${query}`;

  const token = "k8s-aws-v1." + Buffer.from(url).toString("base64url");

[terra2022devops]

@TimisRobert : Can you please give link for SignatureV4 documentation

[adrianmace]

I’ve come across this as well which looks to do the trick, but I’d love to have it available in the official lib.

[felixhuttmann]

Similar to the library that @adrianmace linked, another library that provides this functionality is https://www.npmjs.com/package/aws-eks-token.

[kellertk]

Hi there! The best way to reduce bundle size is to migrate to v3 of the AWS SDK. The new version is modularized so it can really shrink down the size of your Lambdas.