Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix generating presigned URL for K8s authentication #7487

Merged
merged 1 commit into from
Jan 19, 2024
Merged

Fix generating presigned URL for K8s authentication #7487

merged 1 commit into from
Jan 19, 2024

Conversation

cPu1
Copy link
Collaborator

@cPu1 cPu1 commented Jan 19, 2024
edited

Description

With aws-sdk-go-v2@1.24.1, API server requests containing URLs presigned by sts.PresignClient fail with an Unauthorized error.

aws-sdk-go-v2@1.24.1 adds an extra header amz-sdk-request to the generated request, but this header is not allow-listed by aws-iam-authenticator server running on the control plane. This is likely due to this change which reorders the middleware operations to execute RetryMetricsHeader before Signing.

This changelist removes the RetryMetricsHeader middleware from the stack when constructing sts.PresignClient.

This functionality is part of aws-sdk-go-v2 and is therefore not covered by unit tests.

Fixes #7486

Checklist

  • Added tests that cover your change (if possible)
  • Added/modified documentation as required (such as the README.md, or the userdocs directory)
  • Manually tested
  • Made sure the title of the PR is a good description that can go into the release notes
  • (Core team) Added labels for change area (e.g. area/nodegroup) and kind (e.g. kind/improvement)

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 馃く

  • Backfilled missing tests for code in same general area 馃帀
  • Refactored something and made the world a better place 馃専

@cPu1 cPu1 added the kind/bug label Jan 19, 2024
Fix generating presigned URL for K8s authentication
ce27549 
With `aws-sdk-go-v2@1.24.1`, API server requests containing URLs presigned by `sts.PresignClient` fail with an `Unauthorized` error.

`aws-sdk-go-v2@1.24.1` adds an extra header `amz-sdk-request` to the generated request, but this header is not allow-listed by `aws-iam-authenticator` server running on the control plane.
This is likely due to [this change](aws/aws-sdk-go-v2#2438) which reorders the middleware operations to execute `RetryMetricsHeader` before `Signing`.

This changelist removes the `RetryMetricsHeader` middleware from the stack when constructing `sts.PresignClient`.
a-hilaly
a-hilaly approved these changes Jan 19, 2024
View reviewed changes
Copy link
Member

@a-hilaly a-hilaly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

馃憤

@yuxiang-zhang yuxiang-zhang merged commit 3d0c65e into eksctl-io:main Jan 19, 2024
13 checks passed
@a-hilaly a-hilaly mentioned this pull request Jan 19, 2024
Closed
@mbbush mbbush mentioned this pull request Apr 22, 2024
Closed
54 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@a-hilaly a-hilaly a-hilaly approved these changes

@yuxiang-zhang yuxiang-zhang yuxiang-zhang approved these changes

Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Presigned requests generated by aws-sdk-go-v2@1.24.1 fail with an Unauthorized error
3 participants
@cPu1 @a-hilaly @yuxiang-zhang