fix: check credential expiration timestamp when generating tokens

What this PR does / why we need it: There are two expirations which must be considered when using a signed EKS token: * 15 minutes after the point in time when the AWS STS request has been signed * The underlying AWS credentials can expire at which point the token won't be accepted The second case is particularly common when making frequent requests while using AssumeRole or AssumeRoleWithWebRequest as mentioned in kubernetes-sigs#590 as the default session timeout is 1 hour. This PR adds an additional check fetching the AWS credential expiration and using that as the returned expiration if it is before the 15 minute token expiration. Which issue(s) this PR fixes Fixes kubernetes-sigs#590
alvaroaleman · Aug 6, 2024 · 1c827d0 · 1c827d0
1 parent 2596d17
commit 1c827d0
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/pkg/token/token.go b/pkg/token/token.go
@@ -338,6 +338,11 @@ func (g generator) GetWithSTS(clusterID string, stsAPI stsiface.STSAPI) (Token,
 	request, _ := stsAPI.GetCallerIdentityRequest(&sts.GetCallerIdentityInput{})
 	request.HTTPRequest.Header.Add(clusterIDHeader, clusterID)
 
+	// Fetch the timestamp when the credentials we're going to use for signing will not be valid anymore
+	// This operation is potentially racey, but the worst case is that we expire a token early
+	// Not all credential providers support this, so we ignore any returned errors
+	credentialsExpiration, _ := request.Config.Credentials.ExpiresAt()
+
 	// Sign the request.  The expires parameter (sets the x-amz-expires header) is
 	// currently ignored by STS, and the token expires 15 minutes after the x-amz-date
 	// timestamp regardless.  We set it to 60 seconds for backwards compatibility (the
@@ -351,6 +356,9 @@ func (g generator) GetWithSTS(clusterID string, stsAPI stsiface.STSAPI) (Token,
 
 	// Set token expiration to 1 minute before the presigned URL expires for some cushion
 	tokenExpiration := time.Now().Local().Add(presignedURLExpiration - 1*time.Minute)
+	if !credentialsExpiration.IsZero() && credentialsExpiration.Before(tokenExpiration) {
+		tokenExpiration = credentialsExpiration
+	}
 	// TODO: this may need to be a constant-time base64 encoding
 	return Token{v1Prefix + base64.RawURLEncoding.EncodeToString([]byte(presignedURLString)), tokenExpiration}, nil
 }