Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid k8s service account token #232

Open
fhalde opened this issue Jul 26, 2024 · 5 comments
Open

Invalid k8s service account token #232

fhalde opened this issue Jul 26, 2024 · 5 comments

Comments

@fhalde
Copy link

fhalde commented Jul 26, 2024

What happened:
The file /var/run/secrets/eks.amazonaws.com/serviceaccount/token contained a malformed token of the form

<token> 11:11:49.782386   40364 v3.go:79] EOF

What you expected to happen:
The token should not have been malformed

How to reproduce it (as minimally and precisely as possible):
Not reproducible

Anything else we need to know?:
Since the token was malformed, and since we use EKS IRSA, the AWS STS call was failing

Environment: EKS

  • AWS Region: sa-east-1
  • EKS Platform version (if using EKS, run aws eks describe-cluster --name <name> --query cluster.platformVersion): eks.7
  • Kubernetes version (if using EKS, run aws eks describe-cluster --name <name> --query cluster.version): 1.29
  • Webhook Version: unsure
@fhalde
Copy link
Author

fhalde commented Jul 31, 2024

hi, could someone be able to help here?

@ccx0lw
Copy link

ccx0lw commented Aug 1, 2024
edited
Loading

I had the same problem.

Use the pod

AWS_WEB_IDENTITY_TOKEN_FILE:  /var/run/secrets/eks.amazonaws.com/serviceaccount/token

Token requests STS to report the following error

<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>InvalidIdentityToken</Code>
    <Message>Incorrect token audience</Message>
  </Error>
  <RequestId>b214072d-5c22-46e6-a6bd-b6a28c08a7f2</RequestId>
</ErrorResponse>

@fhalde
Copy link
Author

fhalde commented Aug 1, 2024

@ccx0lw did you check the contents of /var/run/secrets/eks.amazonaws.com/serviceaccount/token ?
was the file decodable using jwt decode "$(cat /var/run/secrets/eks.amazonaws.com/serviceaccount/token)" --json ?

@ccx0lw
Copy link

ccx0lw commented Aug 1, 2024

@ccx0lw did you check the contents of /var/run/secrets/eks.amazonaws.com/serviceaccount/token ? was the file decodable using jwt decode "$(cat /var/run/secrets/eks.amazonaws.com/serviceaccount/token)" --json ?

It's all right now.

I checked the IAM as described in the documentation here.
https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html

image

It turns out to be the OIDC Audience, with no sts.amazonaws.com
It

@ccx0lw
Copy link

ccx0lw commented Aug 1, 2024

@ccx0lw did you check the contents of /var/run/secrets/eks.amazonaws.com/serviceaccount/token ? was the file decodable using jwt decode "$(cat /var/run/secrets/eks.amazonaws.com/serviceaccount/token)" --json ?

thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fhalde @ccx0lw