README
¶
aws-eks-auth 
A straight-forward Golang implementation of the aws-iam-authenticator (AWS EKS) token generation algorithm.
Why?
The aws-iam-authenticator/pkg/token package makes use of the AWS Golang v1 SDK which has entered maintenance mode as of 7/31/2024 (issue #736), this library utilizes the AWS Golang v2 SDK to generate tokens.
Additionally, the aws-iam-authenticator/pkg/token package does not properly handle short-lived AWS credentials (issue #590). This requires clients to use less secure authentication methods like static AWS IAM users or avoid any caching of tokens adding unnecessary latency to each Kubernetes request.
Usage
package main
import (
"context"
"log"
"net/http"
"os"
eksauth "github.com/bored-engineer/aws-eks-auth"
"golang.org/x/oauth2"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/clientcmd"
)
func main() {
// Load a local kubeconfig using the KUBECONFIG environment variable
config, err := clientcmd.BuildConfigFromFlags("", os.Getenv("KUBECONFIG"))
if err != nil {
log.Fatalf("clientcmd.BuildConfigFromFlags failed: %v", err)
}
// Load some AWS credentials from the default credential chain
cfg, err := config.LoadDefaultConfig(context.TODO())
if err != nil {
log.Fatalf("config.LoadDefaultConfig failed: %v", err)
}
// Wrap the http.RoundTripper using our EKS authentication token source
ts := eksauth.NewFromConfig(cfg, "eks-cluster-name")
config.Wrap(func(base http.RoundTripper) http.RoundTripper {
return &oauth2.Transport{
Source: ts,
Base: base,
}
})
// Finally create a clientset using the authenticated config
clientset, err := kubernetes.NewForConfig(config)
if err != nil {
log.Fatalf("kubernetes.NewForConfig failed: %v", err)
}
}
Documentation
¶
Index ¶
- Variables
- func NewFromClient(client *sts.Client, clusterName string, optFns ...func(*sts.PresignOptions)) oauth2.TokenSource
- func NewFromConfig(cfg aws.Config, clusterName string, optFns ...func(*sts.Options)) oauth2.TokenSource
- func NewFromPresignClient(client *sts.PresignClient, clusterName string) oauth2.TokenSource
- type TokenSource
Constants ¶
This section is empty.
Variables ¶
var DefaultEarlyExpiry = 60 * time.Second
DefaultEarlyExpiry is the delta added to expire generated tokens early to account for clock skew.
var DefaultExpiration = 15 * time.Minute
DefaultExpiration is the default expiration time for a generated EKS token.
Functions ¶
func NewFromClient ¶
func NewFromClient(client *sts.Client, clusterName string, optFns ...func(*sts.PresignOptions)) oauth2.TokenSource
NewFromClient creates a new oauth2.TokenSource from a sts.Client and an EKS cluster name
func NewFromConfig ¶
func NewFromConfig(cfg aws.Config, clusterName string, optFns ...func(*sts.Options)) oauth2.TokenSource
NewFromConfig creates a new oauth2.TokenSource from an aws.Config and an EKS cluster name
func NewFromPresignClient ¶
func NewFromPresignClient(client *sts.PresignClient, clusterName string) oauth2.TokenSource
NewFromPresignClient creates a new oauth2.TokenSource from a sts.PresignClient and an EKS cluster name
Types ¶
type TokenSource ¶
type TokenSource struct {
ClusterName string
Client *sts.PresignClient
}
TokenSource is an oauth2.TokenSource that generates AWS EKS tokens from a sts.PresignClient. NOTE: Generally this should not be used directly, instead use the New* functions...
Source Files