Skip to content

Fix generating presigned URL for K8s authentication#7487

Merged
yuxiang-zhang merged 1 commit intoeksctl-io:mainfrom
cPu1:fix-sts-auth-failure
Jan 19, 2024
Merged

Fix generating presigned URL for K8s authentication#7487
yuxiang-zhang merged 1 commit intoeksctl-io:mainfrom
cPu1:fix-sts-auth-failure

Conversation

@cPu1
Copy link
Copy Markdown
Contributor

@cPu1 cPu1 commented Jan 19, 2024
edited
Loading

Description

With aws-sdk-go-v2@1.24.1, API server requests containing URLs presigned by sts.PresignClient fail with an Unauthorized error.

aws-sdk-go-v2@1.24.1 adds an extra header amz-sdk-request to the generated request, but this header is not allow-listed by aws-iam-authenticator server running on the control plane. This is likely due to this change which reorders the middleware operations to execute RetryMetricsHeader before Signing.

This changelist removes the RetryMetricsHeader middleware from the stack when constructing sts.PresignClient.

This functionality is part of aws-sdk-go-v2 and is therefore not covered by unit tests.

Fixes #7486

Checklist

  • Added tests that cover your change (if possible)
  • Added/modified documentation as required (such as the README.md, or the userdocs directory)
  • Manually tested
  • Made sure the title of the PR is a good description that can go into the release notes
  • (Core team) Added labels for change area (e.g. area/nodegroup) and kind (e.g. kind/improvement)

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

  • Backfilled missing tests for code in same general area 🎉
  • Refactored something and made the world a better place 🌟

@cPu1 cPu1 added the kind/bug label Jan 19, 2024
Fix generating presigned URL for K8s authentication
ce27549 
With `aws-sdk-go-v2@1.24.1`, API server requests containing URLs presigned by `sts.PresignClient` fail with an `Unauthorized` error.

`aws-sdk-go-v2@1.24.1` adds an extra header `amz-sdk-request` to the generated request, but this header is not allow-listed by `aws-iam-authenticator` server running on the control plane.
This is likely due to [this change](aws/aws-sdk-go-v2#2438) which reorders the middleware operations to execute `RetryMetricsHeader` before `Signing`.

This changelist removes the `RetryMetricsHeader` middleware from the stack when constructing `sts.PresignClient`.
@cPu1 cPu1 force-pushed the fix-sts-auth-failure branch from b895088 to ce27549 Compare January 19, 2024 12:48
a-hilaly
a-hilaly approved these changes Jan 19, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@a-hilaly a-hilaly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@yuxiang-zhang yuxiang-zhang merged commit 3d0c65e into eksctl-io:main Jan 19, 2024
@a-hilaly a-hilaly mentioned this pull request Jan 19, 2024
Closed
@mbbush mbbush mentioned this pull request Apr 22, 2024
Closed
54 tasks
@cPu1 cPu1 mentioned this pull request Jun 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@a-hilaly a-hilaly a-hilaly approved these changes

@yuxiang-zhang yuxiang-zhang yuxiang-zhang approved these changes

Assignees

No one assigned

Labels

kind/bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Presigned requests generated by aws-sdk-go-v2@1.24.1 fail with an Unauthorized error

3 participants

@cPu1 @a-hilaly @yuxiang-zhang