Closed buhe closed 1 year ago
Hi,
I've had a quick look at this and there is no EKS.getToken()
. From the debug output of awscli
it looks like a custom call to STS.getCallerIdentity
with extra headers and query parameters and is a GET instead of a POST. This will need some custom code to get it working properly. I'll see if I can construct something.
Ok. So get-token doesn't even talk to AWS services. It just creates a pre-signed URL and then outputs it as base64 with a prefix. Here is the python code from aws-cli that does this
TOKEN_PREFIX = 'k8s-aws-v1.'
def get_token(self, k8s_aws_id):
"""Generate a presigned url token to pass to kubectl."""
url = self._get_presigned_url(k8s_aws_id)
token = TOKEN_PREFIX + base64.urlsafe_b64encode(
url.encode('utf-8')
).decode('utf-8').rstrip('=')
return token
You can create the presigned URL in Swift as follows
let url = try await Self.sts.signURL(
url: URL(string: Self.sts.endpoint)!,
httpMethod: .GET,
headers: ["x-k8s-aws-id": "my-cluster-name"],
expires: .seconds(60)
)
Thank you!! I will be try tomorrow Because I am in China..
Hi @adam-fowler I try, but signurl may miss something fix part, i use this code, token already incorrect. I print gen token vs aws-cli gen token
k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0xLmFtYXpvbmF3cy5jb20/WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVEZJWkZOU0lTRTNPVkdYQiUyRjIwMjMwMTA4JTJGdXMtd2VzdC0xJTJGc3RzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzAxMDhUMDMwNzE2WiZYLUFtei1FeHBpcmVzPTYwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCUzQngtazhzLWF3cy1pZCZYLUFtei1TaWduYXR1cmU9NjgxNzdmOWFkMTU1ZDIzZjk4Y2IyNjg0MjhhODFhYzIyOGQ2ZTdiYTMzODVhNTk0YjgzYjI0YzAzZTM3MWJmYQ
k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0xLmFtYXpvbmF3cy5jb20vP0FjdGlvbj1HZXRDYWxsZXJJZGVudGl0eSZWZXJzaW9uPTIwMTEtMDYtMTUmWC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVEZJWkZOU0lTRTNPVkdYQiUyRjIwMjMwMTA4JTJGdXMtd2VzdC0xJTJGc3RzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzAxMDhUMDMyMTM3WiZYLUFtei1FeHBpcmVzPTYwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCUzQngtazhzLWF3cy1pZCZYLUFtei1TaWduYXR1cmU9ODFiZGU2N2ViNzdmZjUzYWFiMmQwYzA4YTk3ZjRiNDI3MDZmYjQyZmI3YmFlM2NjZmVmY2NiYjM5ODNjMzgxZA
let url = try! sts.signURL(
url: URL(string: sts.endpoint)!,
httpMethod: .GET,
headers: ["x-k8s-aws-id": clusterName],
expires: .seconds(60)
).wait()
print("signed: \(url.absoluteString)")
var token = MyAWSClient.TOKEN_PREFIX + url.absoluteString.data(using: .utf8)!.base64EncodedString()
token.remove(at: token.index(before: token.endIndex))
token.remove(at: token.index(before: token.endIndex))
So, any idea. thanks.
signed: https://sts.us-west-1.amazonaws.com?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIATFIZFNSISE3OVGXB%2F20230108%2Fus-west-1%2Fsts%2Faws4_request&X-Amz-Date=20230108T032024Z&X-Amz-Expires=60&X-Amz-SignedHeaders=host%3Bx-k8s-aws-id&X-Amz-Signature=09e203e2db953ca526c39545f6e763c2ef083eea352fbc10d2c6122f16c28078
https://sts.us-west-1.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIATFIZFNSISE3OVGXB%2F20230108%2Fus-west-1%2Fsts%2Faws4_request&X-Amz-Date=20230108T041100Z&X-Amz-Expires=60&X-Amz-SignedHeaders=host%3Bx-k8s-aws-id&X-Amz-Signature=839eddff93e520580770281c28f2e5ada9f67afde4900f32b246e86b332aeb4
This is aws-cli url. More "Action=GetCallerIdentity&Version=2011-06-15"
Amazing! finally version.thank you!
let url = try! sts.signURL(
url: URL(string: sts.endpoint+"/?Action=GetCallerIdentity&Version=2011-06-15")!,
httpMethod: .GET,
headers: ["x-k8s-aws-id": clusterName],
expires: .seconds(60)
).wait()
print("signed: \(url.absoluteString)")
var token = MyAWSClient.TOKEN_PREFIX + Base64FS.encodeString(str: url.absoluteString)
token.remove(at: token.index(before: token.endIndex))
token.remove(at: token.index(before: token.endIndex))
Is your feature request related to a problem? Please describe. I use aws-cli get eks token like "aws eks get-token --cluster-name xxx", but i can't find it this, so i missed or not exist. Thanks. this debug logs: