Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Obtain EKS token via SDK #2599

Open
2 tasks
georgeboot opened this issue Dec 13, 2022 · 2 comments
Open
2 tasks

Obtain EKS token via SDK #2599

georgeboot opened this issue Dec 13, 2022 · 2 comments
Labels
feature-request A feature should be added or improved. p3 This is a minor priority issue

Comments

@georgeboot
Copy link

georgeboot commented Dec 13, 2022
edited

Describe the feature

The EKSClient currently does not offer an getToken() method.
The STSClient also does not offer a method to presign a url.

Use Case

We try to access an eks kubernetes cluster from a lambda.
Ideally, I should add the lambda's role to the clusters aws-auth configmap and use the EKSClient to generate a token, just like I would be able to do on the cli.

On the CLI I can do aws eks get-token --cluster-name test to get a token. There is to my knowledge no way to do this via the sdk for php.

Proposed Solution

Implement the getToken() method for the EKSClient.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

SDK version used

3.249.0

Environment details (Version of PHP (php -v)? OS name and version, etc.)

PHP 8.1.13 (cli)
@georgeboot georgeboot added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Dec 13, 2022
@yenfryherrerafeliz
Copy link
Contributor

Hi @georgeboot, thanks for opening this feature request. This method it is CLI specific. We can confirm that by looking at the implementation here, which is located at the customization folder. I checked also in other SDKs and this method is also not available.

In the meantime, I will leave this feature request open but, I do not guarantee we will look at this in the near future since we are working in other backlog items with higher priority.

Thanks!

@yenfryherrerafeliz yenfryherrerafeliz added p3 This is a minor priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Jan 9, 2023
@georgeboot
Copy link
Author

georgeboot commented Jan 12, 2023
edited

For anyone else having this issue, this is how I've implemented it:

use Aws\Signature\SignatureV4;
use Carbon\Carbon;
use GuzzleHttp\Psr7\Request;

$region = 'eu-central-1';
$clusterName = 'test-cluster';
$expiry = Carbon::now()->addMinutes(15);

$request = new Request('GET', "https://sts.{$region}.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15", [
    'x-k8s-aws-id' => $clusterName,
]);

$signer = new SignatureV4('sts', $region, []);
$credentialsProvider = CredentialProvider::defaultProvider()()->wait();
$signature = $signer->presign($request, $credentialsProvider, $expiry);

// @see https://github.com/aws/aws-cli/commit/3ef2a3cf895cb64cf45a28284ca3291cd1c33755
$token = 'k8s-aws-v1.'.rtrim(base64_encode($signature->getUri()), '=');

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved. p3 This is a minor priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@georgeboot @yenfryherrerafeliz