AWS EKS nodegroup creation not working when only metadata version 2 is allowed: could not get token

Bug #1925487 reported by Thomas Bechtold
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-images
Fix Released
Undecided
Thomas Bechtold

Bug Description

Using the latest Ubuntu 1.19 image (ami-0ee92b42884f517b8 from eu-central-1, Serial 20210419).
Steps to reproduce:

1) follow https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html to setup a cluster
2) follow https://ubuntu.com/blog/ubuntu-eks-platform-images-for-k8s-1-19 to setup a nodegroup
3) while setting up the launch template in 2), select
   - Metadata accessible: Enabled
   - Metadata version: v2 (token required)
   - Metadata hop limit: 1

The nodegroup creation will fail with that. The reason is the client authentication method we use:

# /usr/bin/heptio-authenticator-aws token -i eks-t3
could not get token: NoCredentialProviders: no valid providers in chain. Deprecated.

You can verify that this is the reason with:

$ aws ec2 modify-instance-metadata-options --instance-id $instance --http-tokens optional

and then in the instance, "heptio-authenticator-aws token -i eks-t3" delivers a token.

Changed in cloud-images:
status: New → In Progress
assignee: nobody → Thomas Bechtold (toabctl)
summary: - AWS EKS nodegroup not working when only metadata verions 2 is allowed
+ AWS EKS nodegroup not working when only metadata version 2 is allowed
summary: - AWS EKS nodegroup not working when only metadata version 2 is allowed
+ AWS EKS nodegroup not working when only metadata version 2 is allowed:
+ could not get token
summary: - AWS EKS nodegroup not working when only metadata version 2 is allowed:
- could not get token
+ AWS EKS nodegroup creation not working when only metadata version 2 is
+ allowed: could not get token
Changed in cloud-images:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers