-
Notifications
You must be signed in to change notification settings - Fork 423
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API Authorization from Outside EKS Cluster throws Unauthorized
error after 20+ minutes
#590
Comments
Trying to bump this issue up again since no replies received after a month |
Also seeing this. We will see a window where sometimes a generated token gets Unauthorized for 3-5 minutes before it expires. The structure of the go-lang client auth plugins keeps us from detecting the problem and regenerating the token, so we have short-lived outages. Seems to happen after about an hour. Our client is running in an EKS cluster using IRSA and communicating with a different EKS cluster. |
I think I understand what is going on in our case. We are using the token.Generator without passing in a Session, in a k8s Pod using IRSA. The IAM Role's MaxSessionDuration is 1 hour. So what happens is:
So the problem is that if you use a session that is about to expire to presign, you get less than the 15 minutes assumed in the code. The correct expiration would be |
One workaround is to expire the session early: s, err := session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
CredentialsProviderOptions: &session.CredentialsProviderOptions{
WebIdentityRoleProviderOptions: func(provider *stscreds.WebIdentityRoleProvider) {
// When the session expires, pre-signed tokens seem to become invalid within 3 minutes,
// even if they were created <15 minutes ago. Expiring the session 12.5 minutes early
// should keep the token from falling into this window.
provider.ExpiryWindow = 12*time.Minute + 30*time.Second
},
},
})
tok, err := gen.GetWithOptions(&token.GetTokenOptions{
Session: s,
// set ClusterID, etc.
}) (last comment, sorry for hijacking this ticket) |
Fixes kubernetes-sigs#590 This comes up when using a long-lived `token.Generator` instance where the underlying assume-role session might expire, invalidating the token.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
We're also experiencing this issue using
Should we enable any additional config options? |
Hey folks, I'm running into this issue as well, wondering if there's an update? @iamnoah I also tried your patch, but still seeing Unauthorized after about a few minutes after the pod starts. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
What this PR does / why we need it: There are two expirations which must be considered when using a signed EKS token: * 15 minutes after the point in time when the AWS STS request has been signed * The underlying AWS credentials can expire at which point the token won't be accepted The second case is particularly common when making frequent requests while using AssumeRole or AssumeRoleWithWebRequest as mentioned in kubernetes-sigs#590 as the default session timeout is 1 hour. This PR adds an additional check fetching the AWS credential expiration and using that as the returned expiration if it is before the 15 minute token expiration. Which issue(s) this PR fixes Fixes kubernetes-sigs#590
What this PR does / why we need it: There are two expirations which must be considered when using a signed EKS token: * 15 minutes after the point in time when the AWS STS request has been signed * The underlying AWS credentials can expire at which point the token won't be accepted The second case is particularly common when making frequent requests while using AssumeRole or AssumeRoleWithWebRequest as mentioned in kubernetes-sigs#590 as the default session timeout is 1 hour. This PR adds an additional check fetching the AWS credential expiration and using that as the returned expiration if it is before the 15 minute token expiration.
What this PR does / why we need it: There are two expirations which must be considered when using a signed EKS token: * 15 minutes after the point in time when the AWS STS request has been signed * The underlying AWS credentials can expire at which point the token won't be accepted The second case is particularly common when making frequent requests while using AssumeRole or AssumeRoleWithWebRequest as mentioned in kubernetes-sigs#590 as the default session timeout is 1 hour. This PR adds an additional check fetching the AWS credential expiration and using that as the returned expiration if it is before the 15 minute token expiration.
What this PR does / why we need it: There are two expirations which must be considered when using a signed EKS token: * 15 minutes after the point in time when the AWS STS request has been signed * The underlying AWS credentials can expire at which point the token won't be accepted The second case is particularly common when making frequent requests while using AssumeRole or AssumeRoleWithWebRequest as mentioned in kubernetes-sigs#590 as the default session timeout is 1 hour. This PR adds an additional check fetching the AWS credential expiration and using that as the returned expiration if it is before the 15 minute token expiration.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
What this PR does / why we need it: There are two expirations which must be considered when using a signed EKS token: * 15 minutes after the point in time when the AWS STS request has been signed * The underlying AWS credentials can expire at which point the token won't be accepted The second case is particularly common when making frequent requests while using AssumeRole or AssumeRoleWithWebRequest as mentioned in kubernetes-sigs#590 as the default session timeout is 1 hour. This PR adds an additional check fetching the AWS credential expiration and using that as the returned expiration if it is before the 15 minute token expiration.
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close not-planned |
@k8s-triage-robot: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
We have tried to implement similar methods defined in section https://github.com/kubernetes-sigs/aws-iam-authenticator#api-authorization-from-outside-a-cluster in Golang
It works fine.
However, we are having intermittent issue that the Kubernetes Client created with this token is throwing
Unauthorized
error when performing kubernetes operation, for example, equivalent tokubectl get nodes
We are using https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-ExecCredential instead of using similar
headers = {'Authorization': 'Bearer ' + get_bearer_token('my_cluster', 'us-east-1')}
as the tutorial.I am wondering what could be the potential reason for this
Unauthorized
error ? The API successfully ran for almost 20 minutes and then suddenly this error is thrown back.I am thinking:
bearerToken
expired exactly at the timestamp defined inExpirationTimestamp
or after some magical time delta ? Currently we configured theExpirationTimestamp
to be 1 hour after the token is generated. Does this conflict with the sts presign 60 seconds ?Something to note though is that the IAM Authenticator explicitly omits base64 padding to avoid any = characters thus guaranteeing a string safe to use in URLs.
is mentioned and the python code exampleis explicitly replace
empty string, which is absent from our golang methods, how so far everything related to kubernetes operation is working fine.
=
withAlso trying to get some feedback on this if there is anything else that I am missing.
The text was updated successfully, but these errors were encountered: