switch to aws-sdk-go-v2 as v1 is going away

[dims]

Context: https://aws.amazon.com/blogs/developer/announcing-end-of-support-for-aws-sdk-for-go-v1-on-july-31-2025/
Migration guide: https://aws.github.io/aws-sdk-go-v2/docs/migrating/

Basically maintenance mode on July 31, 2024 and reach end-of-support on July 31, 2025. The SDK will not
receive API updates for new or existing services, or be updated to support new regions.

[bored-engineer]

For folks that are only using this package to generate client-side tokens (i.e. github.com/kubernetes-sigs/aws-iam-authenticator/pkg/token), I have published a small Golang package that uses the AWS v2 SDK instead: https://github.com/bored-engineer/aws-eks-auth

[dims]

cc @prateekgogia @kmala

[micahhausler]

In working on the V2 upgrade, one key difference is that the new SDK does not expose the internal list of known endpoints for a particular partition.

• Reasoning behind "internal"-izing endpoint structures aws/aws-sdk-go-v2#1026
• SSO default endpoint resolver V2 returns incorrect endpoints aws/aws-sdk-go-v2#2336

The current behavior is that the server builds up a list of known regions from SDK v1 for a given partition (specified via a server flag), and ensures that the domain of incoming pre-signed requests is one of those known endpoints. The reason we don't want to allow cross-partition STS tokens, is that AWS treats partitions (aws, aws-cn, aws-us-gov, etc) as fully isolated fault and trust domains. The tradeoff we currently make is that a new region requires an SDK update to aws-iam-authenticator. Given that we no longer can get this list of STS endpoints, I'll need to add new functionality for region discovery.

Similar to how we support multiple backend mappers for ARN to username discovery, I'll start out with region discovery in the following formats:

• SDK v1 based (deprecated)
• account:ListRegions based discovery (with some periodic cache update). This will have the tradeoff with this approach is necessitating code changes if new TLDs or URL formats are used (ex .api.aws for dualstack on aws partition, service-fips.region.tld for FIPS, etc) or new partitions are created (Infrequent, but at least one is public)
• File based input. EKS will likely use this and seed it with an internally generated list of endpoints.

We'll default to SDKv1 based behavior to preserve backward compatibility, and likely drop support around the time SDKv1 reaches end of life on July 31, 2025. At that point, we'll change the default to account:ListRegions.

Given this change can be independent of the SDK upgrade, I'll make a separate PR that will be mergable prior to an SDK upgrade.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[bryantbiggs]

/remove-lifecycle stale