Fix generating presigned URL for K8s authentication

With `aws-sdk-go-v2@1.24.1`, API server requests containing URLs presigned by `sts.PresignClient` fail with an `Unauthorized` error. `aws-sdk-go-v2@1.24.1` adds an extra header `amz-sdk-request` to the generated request, but this header is not allow-listed by `aws-iam-authenticator` server running on the control plane. This is likely due to [this change](aws/aws-sdk-go-v2#2438) which reorders the middleware operations to execute `RetryMetricsHeader` before `Signing`. This changelist removes the `RetryMetricsHeader` middleware from the stack when constructing `sts.PresignClient`.
cPu1 · Jan 19, 2024 · 6094031 · 6094031
1 parent c74edb2
commit 6094031
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/pkg/eks/auth/generator.go b/pkg/eks/auth/generator.go
@@ -6,7 +6,10 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/aws/aws-sdk-go-v2/aws/retry"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
+
+	"github.com/aws/smithy-go/middleware"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 
 	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
@@ -68,5 +71,9 @@ func (g Generator) appendPresignHeaderValuesFunc(clusterID string) func(stsOptio
 		stsOptions.APIOptions = append(stsOptions.APIOptions, smithyhttp.SetHeaderValue(clusterIDHeader, clusterID))
 		// Add X-Amz-Expires query param
 		stsOptions.APIOptions = append(stsOptions.APIOptions, smithyhttp.SetHeaderValue("X-Amz-Expires", "60"))
+		stsOptions.APIOptions = append(stsOptions.APIOptions, func(stack *middleware.Stack) error {
+			_, err := stack.Finalize.Remove((&retry.MetricsHeader{}).ID())
+			return err
+		})
 	}
 }