使用 AWS Java SDK v2 从 AWS EKS 获取身份验证令牌
·
回答问题
如何使用 AWS Java SDK v2 从 AWS EKS 获取 Kubernetes 身份验证令牌?一个身份验证令牌,然后可用于使用 Kubernetes SDK 对 Kubernetes 进行身份验证。换句话说,我想从 EKS 获取一个身份验证令牌以用于 Kubernetes 身份验证,这样我就不必创建“kube config”。
我实际上得到了一个使用 AWS Java SDK v1(不是 v2)的解决方案,查看以下开放问题中的代码示例。这里还有一个 Python 代码示例但我在使用 AWS Java SDK v2 时没有任何成功。我尝试使用 AWS Java SDK v2:
public static String getAuthenticationToken(AwsCredentialsProvider awsAuth, Region awsRegion, String clusterName) {
try {
SdkHttpFullRequest requestToSign = SdkHttpFullRequest
.builder()
.method(SdkHttpMethod.GET)
.uri(new URI("https", String.format("sts.%s.amazonaws.com", awsRegion.id()), null, null))
.appendHeader("x-k8s-aws-id", clusterName)
.appendRawQueryParameter("Action", "GetCallerIdentity")
.appendRawQueryParameter("Version", "2011-06-15")
.build();
ZonedDateTime expirationDate = DateUtil.addSeconds(DateUtil.now(), 60);
Aws4PresignerParams presignerParams = Aws4PresignerParams.builder()
.awsCredentials(awsAuth.resolveCredentials())
.expirationTime(expirationDate.toInstant())
.signingName("sts")
.signingRegion(awsRegion)
.build();
SdkHttpFullRequest signedRequest = Aws4Signer.create().presign(requestToSign, presignerParams);
String encodedUrl = Base64.getUrlEncoder().withoutPadding().encodeToString(signedRequest.getUri().toString().getBytes(CharSet.UTF_8.getCharset()));
return ("k8s-aws-v1." + encodedUrl);
} catch (Exception e) {
String errorMessage = "A problem occurred generating an Eks token";
logger.error(errorMessage, e);
throw new RuntimeException(errorMessage, e);
}
}
它生成一个令牌,但是当我在我的 Kubernetes 客户端(官方 Java Kubernetes SDK)中使用该令牌时,我得到了一个“未经授权”的响应——所以我错过了一些我无法理解的东西......
AWS Java SDK v1 版本看起来是这样的:(来自前面提到的open issue)
我得到了它的工作,但我正在努力获得类似于在 AWS Java SDK v2 中工作的东西。
private String generateToken(String clusterName,
Date expirationDate,
String serviceName,
String region,
AWSSecurityTokenServiceClient awsSecurityTokenServiceClient,
AWSCredentialsProvider credentialsProvider,
String scheme,
String host) throws URISyntaxException {
try {
DefaultRequest<GetCallerIdentityRequest> callerIdentityRequestDefaultRequest = new DefaultRequest<>(new GetCallerIdentityRequest(), serviceName);
URI uri = new URI(scheme, host, null, null);
callerIdentityRequestDefaultRequest.setResourcePath("/");
callerIdentityRequestDefaultRequest.setEndpoint(uri);
callerIdentityRequestDefaultRequest.setHttpMethod(HttpMethodName.GET);
callerIdentityRequestDefaultRequest.addParameter("Action", "GetCallerIdentity");
callerIdentityRequestDefaultRequest.addParameter("Version", "2011-06-15");
callerIdentityRequestDefaultRequest.addHeader("x-k8s-aws-id", clusterName);
Signer signer = SignerFactory.createSigner(SignerFactory.VERSION_FOUR_SIGNER, new SignerParams(serviceName, region));
SignerProvider signerProvider = new DefaultSignerProvider(awsSecurityTokenServiceClient, signer);
PresignerParams presignerParams = new PresignerParams(uri,
credentialsProvider,
signerProvider,
SdkClock.STANDARD);
PresignerFacade presignerFacade = new PresignerFacade(presignerParams);
URL url = presignerFacade.presign(callerIdentityRequestDefaultRequest, expirationDate);
String encodedUrl = Base64.getUrlEncoder().withoutPadding().encodeToString(url.toString().getBytes());
log.info("Token [{}]", encodedUrl);
return "k8s-aws-v1." + encodedUrl;
} catch (URISyntaxException e) {
log.error("could not generate token", e);
throw e;
}
}
Answers
好的,我终于让它工作了。
AWS Java SDK v2 版本:
public static String getAuthenticationToken(AwsCredentialsProvider awsAuth, Region awsRegion, String clusterName) {
try {
SdkHttpFullRequest requestToSign = SdkHttpFullRequest
.builder()
.method(SdkHttpMethod.GET)
.uri(StsUtil.getStsRegionalEndpointUri(awsRegion))
.appendHeader("x-k8s-aws-id", clusterName)
.appendRawQueryParameter("Action", "GetCallerIdentity")
.appendRawQueryParameter("Version", "2011-06-15")
.build();
ZonedDateTime expirationDate = DateUtil.addSeconds(DateUtil.now(), 60);
Aws4PresignerParams presignerParams = Aws4PresignerParams.builder()
.awsCredentials(awsAuth.resolveCredentials())
.signingRegion(awsRegion)
.signingName("sts")
.signingClockOverride(Clock.systemUTC())
.expirationTime(expirationDate.toInstant())
.build();
SdkHttpFullRequest signedRequest = Aws4Signer.create().presign(requestToSign, presignerParams);
String encodedUrl = Base64.getUrlEncoder().withoutPadding().encodeToString(signedRequest.getUri().toString().getBytes(CharSet.UTF_8.getCharset()));
return ("k8s-aws-v1." + encodedUrl);
} catch (Exception e) {
String errorMessage = "A problem occurred generating an Eks authentication token for cluster: " + clusterName;
logger.error(errorMessage, e);
throw new RuntimeException(errorMessage, e);
}
}
问题出在我的 STS 端点 Uri 中:
public static URI getStsRegionalEndpointUri(Region awsRegion) {
try {
return new URI("https", String.format("sts.%s.amazonaws.com", awsRegion.id()), "/", null);
} catch (URISyntaxException shouldNotHappen) {
String errorMessage = "An error occurred creating the STS regional endpoint Uri";
logger.error(errorMessage, shouldNotHappen);
throw new RuntimeException(errorMessage, shouldNotHappen);
}
}
请注意URI对象的path(第三个)参数中的/。 AWS Java SDK v1 版本没有像那样创建 URI,而是在其他地方指定了/。如果我现在将URI作为字符串打印出来,我会得到https://sts.eu-west-1.amazonaws.com/,而问题中的原始版本刚刚返回https://sts.eu-west-1.amazonaws.com
有趣的是——原始版本确实也生成了一个令牌,但是这个令牌被 Kubernetes 拒绝了。如果到期日期太远,人们应该会期待类似的行为——你会得到一个令牌,但这会导致来自 Kubernetes 服务的Unauthorized响应。
更改 STS 端点后,一切正常,但我又做了一项更改:
我在我的Aws4PresignerParams中添加了以下行:
.signingClockOverride(Clock.systemUTC())
这不是必需的,但是原始的 AWS Java SDK v1 在指定SdkClock.STANDARD时确实使用了时钟,而我在 AWS Java SDK v2 版本中使用的ZonedDateTime确实使用了 UTC 时区。
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献20439条内容
所有评论(0)