Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Unauthorized Access with EKS ClusterAuth kubeconfig #1526

Closed
1 task done
elihuj117 opened this issue Oct 15, 2024 · 1 comment
Closed
1 task done

[Bug]: Unauthorized Access with EKS ClusterAuth kubeconfig #1526

elihuj117 opened this issue Oct 15, 2024 · 1 comment
Labels
bug Something isn't working needs:triage

Comments

@elihuj117
Copy link

elihuj117 commented Oct 15, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Affected Resource(s)

eks.aws.upbound.io/v1beta2

Resource MRs required to reproduce the bug

No response

Steps to Reproduce

I have a composition that creates an EKS Cluster with Kind: Cluster, followed by Kind: ClusterAuth where I use writeConnectionSecretToRef to write the secrets to the crossplane-system namespace. Exporting the kubeconfig Secret manually results in the following error when accessing the cluster: error: You must be logged in to the server (Unauthorized).

What happened?

Here is the output of the decoded kubeconfig Secret:
https://sts.us-east-1.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15&X-Amz-Algorithm=AWS4-HMAC-SHA256&%2F%2Fus-east-1%2Fsts%2Faws4_request&X-Amz-Date=16Z&X-Amz-Expires=&X-Amz-SignedHeaders=host%3Bx-k8s-aws-id&X-Amz-Signature: invalid input

When I visit that URL, I see the following error:

{
  "Error": {
    "Code": "SignatureDoesNotMatch",
    "Message": "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.",
    "Type": "Sender"
  },
}

I saw this bug, but see it is closed with an upgrade to 1.3.1 resolving the issue.

Relevant Error Output Snippet

No response

Crossplane Version

1.17.1

Provider Version

1.15.0

Kubernetes Version

1.30.0

Kubernetes Distribution

EKS

Additional Info

No response

@elihuj117 elihuj117 added bug Something isn't working needs:triage labels Oct 15, 2024
@elihuj117
Copy link
Author

This is resolved - it was a PEBKAC error. I was not tracking that the token was refreshing, so I was unknowingly using expired credentials when attempting to manually authenticated. The CluserAuth works as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working needs:triage
Projects
None yet
Development

No branches or pull requests

1 participant