[Bug]: EKS ClusterAuth v1.3.0 kubeconfig results in Unauthorized

[lajchon]

Is there an existing issue for this?

• [X] I have searched the existing issues

Affected Resource(s)

No response

Resource MRs required to reproduce the bug

No response

Steps to Reproduce

After creating EKS Cluster, create ClusterAuth with writeConnectionSecretToRef configured. Create provider-kubernetes ProviderConfig to reference ClusterAuth Secret, or retrieve kubeconfig from Secret to use manually. ProviderConfig configured with IRSA credentials.source and assumeRoleChain.

What happened?

When utilizing provider-aws-eks v1.3.0, usage of the kubeconfig results in cannot get object: failed to get API group resources: unable to retrieve the complete list of server APIs: apps/v1: Unauthorized.

Downgrade to provider-aws-eks v1.2.0, and kubeconfig is updated and access to the EKS cluster is available.

The same results are exhibited when accessing an EKS cluster provisioned with v1.2.0, which worked as expected, but after upgrading to v1.3.0, the Unauthorized error began.

Relevant Error Output Snippet

No response

Crossplane Version

1.15.1

Provider Version

1.3.0

Kubernetes Version

v1.29.2

Kubernetes Distribution

EKS

Additional Info

No response

[adamhouse]

Some additional information- on the cluster side, we see the authenticator is logging the following on repeat:

{
  "Error": {
    "Code": "SignatureDoesNotMatch",
    "Message": "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.",
    "Type": "Sender"
  },
  "RequestId": "171b39d0-6bd1-4c09-97eb-1e3ee7f23098"
}

[haarchri]

could be related to https://github.com/aws/aws-sdk-go-v2/issues/2567