This message was deleted.

sparse-intern-71089

08/02/2023, 6:02 PM

This message was deleted.

full-eve-52536

08/02/2023, 6:22 PM

I don't know about AWS, but I use GKE. With GKE, there is a GKE-specific

kubeconfig

that tells k8s how to authenticate (using the gauth plugin). You can pass this kubeconfig to the Kubernetes Provider resource. I imagine AWS does it similarly, so you should be able to construct an AWS-specific kubeconfig, then pass it along to the provider.

salmon-account-74572

08/02/2023, 6:47 PM

The “default” Kubeconfig for an EKS cluster uses a binary called

aws-iam-authenticator

that leverages your AWS creds in the same way the AWS CLI would. If it isn’t working with Deployments, then I would a) wonder if creds are actually getting injected, or b) if the Deployments image contains the necessary binary. Let me inquiry about that second item internally and see if I can get any information.

narrow-river-17495

08/02/2023, 8:07 PM

yeah, my EKS-generated kubeconfig shows (in part):

Copy code

users          : [ 
    [0]: { 
        name: "aws" 
        user: { 
            exec: { 
                apiVersion: "<http://client.authentication.k8s.io/v1beta1|client.authentication.k8s.io/v1beta1>" 
                args      : [ 
                    [0]: "eks" 
                    [1]: "get-token" 
                    [2]: "--cluster-name" 
                    [3]: "platform-eks" 
                ] 
                command   : "aws" 
                env       : [ 
                    [0]: { 
                        name : "KUBERNETES_EXEC_INFO" 
                        value: (json) { 
                            apiVersion: "<http://client.authentication.k8s.io/v1beta1|client.authentication.k8s.io/v1beta1>" 
                        }
                    } 
                ] 
            } 
        } 
    }
]

I would sort of expect that to cause some other more immediate error if that command failed in some fashion. My understanding of Deployments is that it is injecting

AWS_ACCESS_KEY_ID

AWS_SECRET_ACCESS_KEY

, and

AWS_SESSION_TOKEN

which seems like it would be enough to make this work so.... definitely confused

salmon-account-74572

08/02/2023, 9:04 PM

Ah, so this Kubeconfig replaces

aws-iam-authenticator

with the

aws eks get-token

command, which I presume has the same basic effect. In that regard, I agree---I would expect that injecting the AWS credentials as you described should just work.

5 Views

Open in Slack

Previous Next

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.