admin管理员组

文章数量:1290960

Hello this is my code below, I'm basically trying to assume role into different aws account and get the list of clusters using aws cli command, later update kubeconfig based on the cluster name selected and get the jwt token and kube ca cert, but I'm unable to retrieve those values, any help would be appreciated.

#!/bin/bash

# Set AWS region
AWS_REGION="us-east-1"
INPUT_FILE="inputfile"

# Function to assume role and get temporary credentials
assume_role() {
    local account_id=$1
    local account_name=$2
    local role_arn="arn:aws:iam::${account_id}:role/support-admin"
    local session_name="${account_id}"

    echo "Assuming role for account: ${account_name} (${account_id})"

    # Assume role and get temporary credentials
    credentials=$(aws sts assume-role --role-arn "${role_arn}" --role-session-name "${session_name}")

    if [ $? -ne 0 ]; then
        echo "Cannot assume role for account: ${account_id} (${account_name})"
        echo "--------------------------------------------------------------------"
        return
    fi

    export AWS_ACCESS_KEY_ID=$(echo "${credentials}" | jq -r '.Credentials.AccessKeyId')
    export AWS_SECRET_ACCESS_KEY=$(echo "${credentials}" | jq -r '.Credentials.SecretAccessKey')
    export AWS_SESSION_TOKEN=$(echo "${credentials}" | jq -r '.Credentials.SessionToken')

    list_eks_clusters "${account_name}"
    echo "--------------------------------------------------------------------"
}

# Function to list EKS clusters
list_eks_clusters() {
    local account_name=$1

    echo "Listing EKS clusters for account: ${account_name}"

    clusters=$(aws eks list-clusters --region "${AWS_REGION}" | jq -r '.clusters[]')

    if [ $? -ne 0 ]; then
        echo "Error listing EKS clusters for account: ${account_name}"
        return
    fi

    for cluster in ${clusters}; do
        echo "Cluster: ${cluster}"
        # describe_cluster "${cluster}"
    done
}

# Function to describe EKS cluster, update kubeconfig, and get CA certificate
describe_cluster() {
    local cluster_name=$1

    echo "Describing cluster: ${cluster_name}"

    cluster_info=$(aws eks describe-cluster --name "${cluster_name}" --region "${AWS_REGION}")

    if [ $? -ne 0 ]; then
        echo "Error describing cluster: ${cluster_name}"
        return
    fi

    cluster_endpoint=$(echo "${cluster_info}" | jq -r '.cluster.endpoint')
    echo "Cluster ${cluster_name} endpoint: ${cluster_endpoint}"
    
    # Update kubeconfig for the cluster and write to custom location
    CUSTOM_KUBECONFIG="kubeconfig"
    aws eks --region "${AWS_REGION}" update-kubeconfig --name "${cluster_name}" --kubeconfig "${CUSTOM_KUBECONFIG}"

    Get the authentication token for the cluster

    export KUBECONFIG=kubeconfig
    kubectl config view --kubeconfig="${KUBECONFIG}"

    token=$(aws eks get-token --cluster-name "${cluster_name}" --region "${AWS_REGION}" | jq -r '.status.token')
    echo "Token: ${token}"
    kubectl config set-credentials arn:aws:eks:${AWS_REGION}:${account_id}:cluster/${cluster_name} --token="${token}"

    # Ensure the kubeconfig context is set correctly
    kubectl config use-context arn:aws:eks:${AWS_REGION}:${account_id}:cluster/${cluster_name}

    # Get all namespaces from the cluster using the token - works this here 
    kubectl --kubeconfig="${KUBECONFIG}" get namespaces

    
    # Get the CA certificate from the vault-token secret in the kube-system namespace - dont get exact ca cert of cluster selected
    KUBE_CA_CERT=$(kubectl get secret vault-token -n kube-system -o json --token="${token}" | jq -r '.data | ."ca.crt"' | base64 --decode)
    echo "KUBE_CA_CERT: ${KUBE_CA_CERT}"
    echo "--------------------------------------------------------------------"
}

# Read accounts from input file and assume role for each account
if [ ! -f "${INPUT_FILE}" ]; then
    echo "Input file not found: ${INPUT_FILE}"
    exit 1
fi

while IFS=, read -r account_id account_name; do
    assume_role "${account_id}" "${account_name}"
done < "${INPUT_FILE}"

Error:

Switched to context "arn:aws:eks:us-east-1:***:cluster/eks7--". E0213 16:15:03.105457 57722 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials" E0213 16:15:03.188119 57722 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials" E0213 16:15:03.290776 57722 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials" error: You must be logged in to the server (Unauthorized)

本文标签:

版权声明:本文标题:amazon web services - how to get cluster certificate authority and JWT token after assuming different aws account - Stack Overfl 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741505569a2382300.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。