A straight-forward Golang implementation of the aws-iam-authenticator (AWS EKS) token generation algorithm.
The aws-iam-authenticator/pkg/token package makes use of the AWS Golang v1 SDK which has entered maintenance mode as of 7/31/2024 (issue #736), this library utilizes the AWS Golang v2 SDK to generate tokens.
Additionally, the aws-iam-authenticator/pkg/token package does not properly handle short-lived AWS credentials (issue #590). This requires clients to use less secure authentication methods like static AWS IAM users or avoid any caching of tokens adding unnecessary latency to each Kubernetes request.
package main
import (
"context"
"log"
"net/http"
"os"
eksauth "github.com/bored-engineer/aws-eks-auth"
"golang.org/x/oauth2"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/clientcmd"
)
func main() {
// Load a local kubeconfig using the KUBECONFIG environment variable
config, err := clientcmd.BuildConfigFromFlags("", os.Getenv("KUBECONFIG"))
if err != nil {
log.Fatalf("clientcmd.BuildConfigFromFlags failed: %v", err)
}
// Load some AWS credentials from the default credential chain
cfg, err := config.LoadDefaultConfig(context.TODO())
if err != nil {
log.Fatalf("config.LoadDefaultConfig failed: %v", err)
}
// Wrap the http.RoundTripper using our EKS authentication token source
ts := eksauth.NewFromConfig(cfg, "eks-cluster-name")
config.Wrap(func(base http.RoundTripper) http.RoundTripper {
return &oauth2.Transport{
Source: ts,
Base: base,
}
})
// Finally create a clientset using the authenticated config
clientset, err := kubernetes.NewForConfig(config)
if err != nil {
log.Fatalf("kubernetes.NewForConfig failed: %v", err)
}
}