bored-table-20691
06/03/2021, 6:36 PMProviderCredentialOpts
. For example, I have a Pulumi stack in which I set (via config) the AWS access token and secret, as it is in a different account than the one my AWS CLI (i.e. ~/.aws
) is configured with. I then create a cluster like this:
cluster, err := eks.NewCluster(ctx, "my-cluster", &eks.ClusterArgs{
VpcId: vpc.ID(),
PublicSubnetIds: pulumi.ToStringArrayOutput(publicSubnetIDs),
PrivateSubnetIds: pulumi.ToStringArrayOutput(privateSubnetIDs),
EnabledClusterLogTypes: pulumi.StringArray{
pulumi.String("api"),
pulumi.String("audit"),
pulumi.String("authenticator"),
},
SkipDefaultNodeGroup: pulumi.BoolPtr(true),
InstanceRoles: iam.RoleArray{
// role0,
// role1,
role2,
},
NodeAssociatePublicIpAddress: pulumi.Bool(false),
Version: pulumi.String("1.20"),
UseDefaultVpcCni: pulumi.Bool(true),
})
if err != nil {
return err
}
This works fine, but I get an error at the end basically saying that it could not connect to the cluster (I believe to do the CNI or other settings) as it could not authenticate. In order to enable authentication, I had to:
1. Create a new profile in my ~/.aws
folder that had the credentials set for this new account (I called it ssa
)
2. Add the following to the above cluster create:
ProviderCredentialOpts: eks.KubeconfigOptionsArgs{
ProfileName: pulumi.String("ssa"),
},
Now it could connect properly/errors were gone. However, I am not quite sure I am following why this is necessary, and the docs/examples are a bit sparse. Specifically, I am a bit concerned that I have to specify a specific profile to use (one that I have to configure out of band on whatever machine is running Pulumi), which doesn’t seem easily repeatable. Given Pulumi already has the AWS credentials to use to authenticate to create the cluster, why can’t it use those when talking to Kubernetes proper?billowy-army-68599
aws eks get-token
to talk to the control plane.
The only option this command takes is --profile
and --role
options. It's not ever really touched by pulumi
You can see this here: https://github.com/pulumi/pulumi-eks/blob/c0d357bdf3f283006f8b0a6cd4bc2f1c09df34c0/nodejs/eks/cluster.ts#L182
The short version is: it's a limitation of EKS and unfortunately, there's not much we can do 😞Given Pulumi already has the AWS credentials to use to authenticate to create the cluster, why can’t it use those when talking to Kubernetes properThe provider itself uses aws the Go SDK, which is way more configurable than the kubeconfig/`aws eks get-token`
bored-table-20691
06/03/2021, 7:36 PMbillowy-army-68599
bored-table-20691
06/03/2021, 8:10 PMbillowy-army-68599
eks get-token
mechanism handles the refresh toobored-table-20691
06/03/2021, 8:15 PMpulumi eks get-token <stackname>
(just like it invokes aws eks get-token
), which internally would use this pattern (i.e. get the credentials from the stack config, generate the pre-signed token and return it)billowy-army-68599
bored-table-20691
06/03/2021, 8:30 PMbillowy-army-68599
bored-table-20691
06/03/2021, 8:38 PM