In the last blog we discussed , how to access AKS Cluster programmatically ? if you are more of an AWS guy and prefer to code against AWS EKS cluster to gain unprescidented level of cluster visibility then this blogs tells you how it is done. Unfortunately the steps are not well curated elsewhere . Hopefully this might change as demand for kubenetes tooling is on the rise and documentations would also mature accordingly.
If you have taken the pain to find this blog , I guess it is safe to assume that you have already taken the pain to create an EKS cluster and has access to it via kubectl as well. This is how AWS has modeled its access to EKS cluster ; When you try connecting to EKS cluster , Internally AWS creates a token with an expiration time (20 mins approx ~ if my memory is right ). If you decode the token , it has 2 sections “[k8s-aws-v1].[EncodedToken]”. Decoding the encoded token section reveals a url which looks like “https://sts.us-east-2.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=###”.
This is infact a call to AWS STS — GetCallerIdentity API function. The call is a signed call and has an additional HTTP header parameter “x-k8s-aws-id” as key and EKS Cluster Name as value.
Our goal is to make our code replicate the above behavior so that the limitation of token expiration doesn’t exist and access to the cluster would be seemless. We will use AWS Static Credentials to build a client to call AWS STS API . Your AWS Static Credentials can be obtained from AWS account
URL : “https://console.aws.amazon.com/iam/home?#/security_credentials”
Path : AWS IAM Credentials > Access keys for CLI, SDK, & API access > Create Access Key.
Add the following dependencies in your pom.xml to have EKS official Kubernetes Java client (Version : 1)
The below method gives a comprehensive overview of how to create a token programmatically using the AWS static credentials. The subsequent section gives explanation of the step by step process done in this code.
Initially we create the appropriate URL which needs to be encoded as part of the token .
Followed by creating credentials object from AWS Static Credentials (aws_access_key_id & aws_secret_access_key)
Now create the STS Client using the credentials object created in previous steps , and sign the URL and BASE64 encode the same. Now you will have the token created .
Now that you have created a Token successfully , you can easily create a client to access the EKS cluster either using standard AWS SKD
ApiClient apiClient = Config.fromToken(“your-cluster-url”, token);
or you may also use other kubernetes client SDK like fabric8.io
REFERENCES
https://github.com/kubernetes-sigs/aws-iam-authenticator#api-authorization-from-outside-a-cluster
https://vnt-software.com/accessing-an-amazon-eks-kubernetes-cluster/