Fix generating presigned URL for K8s authentication

cpu1 · idanshoham · commit 087503752eb2 · 2024-06-02T12:42:15.000+03:00
With `aws-sdk-go-v2@1.24.1`, API server requests containing URLs presigned by `sts.PresignClient` fail with an `Unauthorized` error. `aws-sdk-go-v2@1.24.1` adds an extra header `amz-sdk-request` to the generated request, but this header is not allow-listed by `aws-iam-authenticator` server running on the control plane. This is likely due to [this change](aws/aws-sdk-go-v2#2438) which reorders the middleware operations to execute `RetryMetricsHeader` before `Signing`. This changelist removes the `RetryMetricsHeader` middleware from the stack when constructing `sts.PresignClient`.
diff --git a/pkg/eks/auth/generator.go b/pkg/eks/auth/generator.go
@@ -6,7 +6,10 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/aws/aws-sdk-go-v2/aws/retry"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
+
+	"github.com/aws/smithy-go/middleware"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 
 	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
@@ -64,9 +67,15 @@ func (g Generator) GetWithSTS(ctx context.Context, clusterID string) (Token, err
 
 func (g Generator) appendPresignHeaderValuesFunc(clusterID string) func(stsOptions *sts.Options) {
 	return func(stsOptions *sts.Options) {
-		// Add clusterId Header
-		stsOptions.APIOptions = append(stsOptions.APIOptions, smithyhttp.SetHeaderValue(clusterIDHeader, clusterID))
-		// Add X-Amz-Expires query param
-		stsOptions.APIOptions = append(stsOptions.APIOptions, smithyhttp.SetHeaderValue("X-Amz-Expires", "60"))
+		stsOptions.APIOptions = append(stsOptions.APIOptions,
+			// Add clusterId Header.
+			smithyhttp.SetHeaderValue(clusterIDHeader, clusterID),
+			// Add X-Amz-Expires query param.
+			smithyhttp.SetHeaderValue("X-Amz-Expires", "60"),
+			// Remove any extraneous headers: https://github.com/eksctl-io/eksctl/issues/7486.
+			func(stack *middleware.Stack) error {
+				_, err := stack.Finalize.Remove((&retry.MetricsHeader{}).ID())
+				return err
+			})
 	}
 }
