Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EKS: Kubectl Lambda Function Doesn't Support Regional STS Endpoints #30496

Closed
hakenmt opened this issue Jun 9, 2024 · 7 comments · Fixed by #30580
Closed

EKS: Kubectl Lambda Function Doesn't Support Regional STS Endpoints #30496

hakenmt opened this issue Jun 9, 2024 · 7 comments · Fixed by #30580
Assignees
@pahud
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@hakenmt
Copy link

hakenmt commented Jun 9, 2024

Describe the bug

When deploying a private EKS cluster using an STS VPC endpoint, the Kubetctl function access to STS fails because it attempts to use the global endpoint. This is either from using a V1 SDK, the endpoint is explicitly set, or the environment variable is set

Expected Behavior

All SDKs and functions not under user control should default to using regional STS endpoints.

Current Behavior

The function uses the global endpoint.

Reproduction Steps

Deploy a private EKS cluster with an STS VPC endpoint.

Possible Solution

Set the environment variable in the Lambda function definition. This is my current workaround:

        FixUpLambdaFunctions("@aws-cdk--aws-eks.KubectlProvider");

        private void FixUpLambdaFunctions(string name)
        {
            IConstruct resourceProviderNestedStack = this.Node.TryFindChild(name);

            if (resourceProviderNestedStack != null)
            {
                NestedStack nestedStack = resourceProviderNestedStack as NestedStack;

                if (nestedStack != null)
                {
                    Function lambda = nestedStack.Node.TryFindChild("Handler") as Function;

                    if (lambda != null)
                    {
                        lambda.AddEnvironment("AWS_STS_REGIONAL_ENDPOINTS", "regional");
                    }

                    IConstruct provider = nestedStack.Node.TryFindChild("Provider");
                    Function onEvent = provider.Node.TryFindChild("framework-onEvent") as Function;

                    if (onEvent != null)
                    {
                        onEvent.AddEnvironment("AWS_STS_REGIONAL_ENDPOINTS", "regional");
                    }
                }
            }
        }

Additional Information/Context

No response

CDK CLI Version

2.138.0

Framework Version

No response

Node.js Version

v20.9.0

OS

darwin

Language

.NET

Language Version

No response

Other information

No response
@hakenmt hakenmt added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 9, 2024
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Jun 9, 2024
@github-actions github-actions bot mentioned this issue Jun 10, 2024
Closed
@pahud
Copy link
Contributor

pahud commented Jun 10, 2024
edited
Loading

I saw this from the doc:

All new SDK major versions releasing after July 2022 will default to regional. New SDK major versions might remove this setting and use regional behavior. To reduce future impact regarding this change, we recommend you start using regional in your application when possible.

I think we need to find out what is the SDK version of the kubectl provider you use in the lambda. Are you able to find out that?

According to this, the runtime should be python3.10. And the SDK version for python3.10 lambda runtime and boto3 version at this moment in us-east-1 is 1.34.42, which was released in Feb 2024 and I think it should include that already? My questions:

  1. which region are you deploying to?
  2. can you verify your kubectl lambda provider is using python3.10 runtime?

Thanks.

@pahud pahud added p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jun 10, 2024
@hakenmt
Copy link
Author

hakenmt commented Jun 10, 2024

1/Deploying in us-east-1.
2/Yes, the function provided in the construct is using python3.10 as the runtime.

My understanding is that all new MAJOR versions should be defaulting to using regional endpoints per the documentation, but I'm not sure how that's interpreted for boto3 since it's still v1.x.x.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 10, 2024
@pahud
Copy link
Contributor

pahud commented Jun 18, 2024

Have discussed with @tim-finnigan about boto/botocore#2577 (comment)

Setting it to regional would still be required and recommended. I guess we should figure out how to do that from custom resource framework.

@pahud pahud added p2 and removed p3 labels Jun 18, 2024
@pahud pahud self-assigned this Jun 18, 2024
@pahud
Copy link
Contributor

pahud commented Jun 18, 2024

OK we do have this in cluster resource provider

aws-cdk/packages/aws-cdk-lib/aws-eks/lib/cluster-resource-provider.ts

Lines 69 to 71 in b196b13

environment: {
AWS_STS_REGIONAL_ENDPOINTS: 'regional',
...props.environment,

But not added here
https://github.com/aws/aws-cdk/blob/b196b13b0b8a54dcacadf87fdbe744772a6e6c4d/packages/aws-cdk-lib/aws-eks/lib/kubectl-provider.ts#L139C28-L139C46

I'll submit a PR for that.

@pahud pahud mentioned this issue Jun 18, 2024
Merged
1 task
@mergify mergify bot closed this as completed in #30580 Jun 19, 2024
@mergify mergify bot closed this as completed in 34ba86f Jun 19, 2024
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

1 similar comment
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

sarangarav pushed a commit to sarangarav/aws-cdk that referenced this issue Jun 21, 2024
@pahud
chore(eks): set AWS_STS_REGIONAL_ENDPOINTS to regional for KubectlFun…
e84e4dc 
…ction (aws#30580)

### Issue # (if applicable)

Per boto/botocore#2577 (comment) setting this to `regional` is still required and recommended for boto3.

Closes aws#30496


### Reason for this change



### Description of changes



### Description of how you validated changes

Added a new unit test and verified with debugger.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

### Debugger

```json
{
  "version": "0.2.0",
  "configurations": [
    {
      "type": "node",
      "request": "launch",
      "name": "Jest",
      "program": "${workspaceFolder}/node_modules/jest/bin/jest.js",
      "cwd": "${workspaceFolder}/packages/aws-cdk-lib",
      "args": [
        "--verbose",
        "-i",
        "--no-cache",
        "test/kubectl-provider.test.ts",
      ],
      "console": "integratedTerminal",
      "internalConsoleOptions": "neverOpen",
      "skipFiles": [
        "<node_internals>/**"
      ],
      "outFiles": [
        "${workspaceFolder}/**/*.(m|c|)js",
        "!**/node_modules/**"
      ],
    }
  ]
}
```
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
mazyu36 pushed a commit to mazyu36/aws-cdk that referenced this issue Jun 22, 2024
@pahud @mazyu36
chore(eks): set AWS_STS_REGIONAL_ENDPOINTS to regional for KubectlFun…
d59d39a 
…ction (aws#30580)

### Issue # (if applicable)

Per boto/botocore#2577 (comment) setting this to `regional` is still required and recommended for boto3.

Closes aws#30496


### Reason for this change



### Description of changes



### Description of how you validated changes

Added a new unit test and verified with debugger.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

### Debugger

```json
{
  "version": "0.2.0",
  "configurations": [
    {
      "type": "node",
      "request": "launch",
      "name": "Jest",
      "program": "${workspaceFolder}/node_modules/jest/bin/jest.js",
      "cwd": "${workspaceFolder}/packages/aws-cdk-lib",
      "args": [
        "--verbose",
        "-i",
        "--no-cache",
        "test/kubectl-provider.test.ts",
      ],
      "console": "integratedTerminal",
      "internalConsoleOptions": "neverOpen",
      "skipFiles": [
        "<node_internals>/**"
      ],
      "outFiles": [
        "${workspaceFolder}/**/*.(m|c|)js",
        "!**/node_modules/**"
      ],
    }
  ]
}
```
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions github-actions bot mentioned this issue Jul 1, 2024
Closed
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@pahud pahud

Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(eks): set AWS_STS_REGIONAL_ENDPOINTS to regional for KubectlFunction pahud/aws-cdk
3 participants
@pahud @hakenmt @aws-cdk-automation