updated verification to aws sdk go v2

Author: gargipanatula

cmd/aws-iam-authenticator/root.go

@@ -20,12 +20,12 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"slices"
 	"strings"
 
 	"sigs.k8s.io/aws-iam-authenticator/pkg/config"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/mapper"
 
-	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -35,6 +35,16 @@ import (
 
 var cfgFile string
 
+var PartitionKeys = []string{
+	"aws",
+	"aws-cn",
+	"aws-us-gov",
+	"aws-iso",
+	"aws-iso-b",
+	"aws-iso-e",
+	"aws-iso-f",
+}
+
 var rootCmd = &cobra.Command{
 	Use:   "aws-iam-authenticator",
 	Short: "A tool to authenticate to Kubernetes using AWS IAM credentials",
@@ -157,13 +167,7 @@ func getConfig() (config.Config, error) {
 		return cfg, errors.New("cluster ID cannot be empty")
 	}
 
-	partitionKeys := []string{}
-	partitionMap := map[string]endpoints.Partition{}
-	for _, p := range endpoints.DefaultPartitions() {
-		partitionMap[p.ID()] = p
-		partitionKeys = append(partitionKeys, p.ID())
-	}
-	if _, ok := partitionMap[cfg.PartitionID]; !ok {
+	if (slices.Contains(PartitionKeys, cfg.PartitionID)) {
 		return cfg, errors.New("Invalid partition")
 	}
 

cmd/aws-iam-authenticator/server.go

@@ -29,7 +29,6 @@ import (
 	"sigs.k8s.io/aws-iam-authenticator/pkg/metrics"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/server"
 
-	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -67,14 +66,8 @@ var serverCmd = &cobra.Command{
 }
 
 func init() {
-	partitionKeys := []string{}
-	for _, p := range endpoints.DefaultPartitions() {
-		partitionKeys = append(partitionKeys, p.ID())
-	}
-
-	serverCmd.Flags().String("partition",
-		endpoints.AwsPartitionID,
-		fmt.Sprintf("The AWS partition. Must be one of: %v", partitionKeys))
+	serverCmd.Flags().String("partition", "aws",
+		fmt.Sprintf("The AWS partition. Must be one of: %v", PartitionKeys))
 	viper.BindPFlag("server.partition", serverCmd.Flags().Lookup("partition"))
 
 	serverCmd.Flags().String("generate-kubeconfig",

cmd/aws-iam-authenticator/verify.go

@@ -19,15 +19,17 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"os"
 
 	"sigs.k8s.io/aws-iam-authenticator/pkg/token"
 
-	"github.com/aws/aws-sdk-go/aws/ec2metadata"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
+	"github.com/aws/aws-sdk-go-v2/service/ec2"
 	"github.com/aws/aws-sdk-go/aws/endpoints"
-	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -54,14 +56,17 @@ var verifyCmd = &cobra.Command{
 			os.Exit(1)
 		}
 
-		sess := session.Must(session.NewSession())
-		ec2metadata := ec2metadata.New(sess)
-		instanceRegion, err := ec2metadata.Region()
+		ctx := context.Background()
+		instanceRegion := getInstanceRegion(ctx)
+
+		cfg, err := config.LoadDefaultConfig(ctx)
 		if err != nil {
-			fmt.Printf("[Warn] Region not found in instance metadata, err: %v", err)
+			fmt.Fprintf(os.Stderr, "unable to create sdk client configuration: %v\n", err)
+			os.Exit(1)
 		}
+		ec2Client := ec2.NewFromConfig(cfg)
 
-		id, err := token.NewVerifier(clusterID, partition, instanceRegion).Verify(tok)
+		id, err := token.NewVerifier(ctx, clusterID, partition, instanceRegion, ec2Client).Verify(tok)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "could not verify token: %v\n", err)
 			os.Exit(1)
@@ -79,6 +84,24 @@ var verifyCmd = &cobra.Command{
 	},
 }
 
+// Uses EC2 metadata to get the region. Returns "" if no region found.
+func getInstanceRegion(ctx context.Context) string {
+	cfg, err := config.LoadDefaultConfig(ctx)
+	if err != nil {
+		fmt.Printf("[Warn] Unable to create metadata client, err: %v", err)
+		return ""
+	}
+
+	imdsClient := imds.NewFromConfig(cfg)
+	getRegionOutput, err := imdsClient.GetRegion(ctx, &imds.GetRegionInput{})
+	if err != nil {
+		fmt.Printf("[Warn] Region not found in instance metadata, err: %v\n", err)
+		return ""
+	}
+
+	return getRegionOutput.Region
+}
+
 func init() {
 	rootCmd.AddCommand(verifyCmd)
 	verifyCmd.Flags().StringP("token", "t", "", "Token to verify")

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/config v1.29.17
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.70
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32
+	github.com/aws/aws-sdk-go-v2/service/account v1.24.2
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.225.2
 	github.com/aws/aws-sdk-go-v2/service/sts v1.34.0
 	github.com/aws/smithy-go v1.22.4
@@ -55,7 +56,6 @@ require (
 	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect

go.sum

@@ -14,6 +14,8 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36 h1:i2vNHQiXUvKhs3quBR
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36/go.mod h1:UdyGa7Q91id/sdyHPwth+043HhmP6yP9MBHgbZM0xo8=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
+github.com/aws/aws-sdk-go-v2/service/account v1.24.2 h1:1ItkqDExKIDsS8NoIBq7OxQOJnQNOVjC25CYa9RzOos=
+github.com/aws/aws-sdk-go-v2/service/account v1.24.2/go.mod h1:NShtay87juyMTb3c6bHN6Bai5dUFmTX7NzURY4/Jyb0=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.225.2 h1:IfMb3Ar8xEaWjgH/zeVHYD8izwJdQgRP5mKCTDt4GNk=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.225.2/go.mod h1:35jGWx7ECvCwTsApqicFYzZ7JFEnBc6oHUuOQ3xIS54=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 h1:CXV68E2dNqhuynZJPB80bhPQwAKqBWVer887figW6Jc=
@@ -86,8 +88,6 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
@@ -226,7 +226,6 @@ gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSP
 gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

pkg/ec2provider/ec2provider.go

@@ -46,6 +46,7 @@ const (
 // EC2API defines the interface for EC2 client operations
 type EC2API interface {
 	DescribeInstances(ctx context.Context, params *ec2.DescribeInstancesInput, optFns ...func(*ec2.Options)) (*ec2.DescribeInstancesOutput, error)
+	DescribeRegions(ctx context.Context, params *ec2.DescribeRegionsInput, optFns ...func(*ec2.Options)) (*ec2.DescribeRegionsOutput, error)
 }
 
 // Get a node name from instance ID

pkg/ec2provider/ec2provider_mock.go

@@ -0,0 +1,66 @@
+package ec2provider
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/ec2"
+	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
+)
+
+type MockEc2Client struct {
+	Reservations []*ec2types.Reservation
+	Regions []ec2types.Region
+}
+const (
+	DescribeDelay = 100
+)
+
+func newMockedEC2ProviderImpl() *ec2ProviderImpl {
+	dnsCache := ec2PrivateDNSCache{
+		cache: make(map[string]string),
+		lock:  sync.RWMutex{},
+	}
+	ec2Requests := ec2Requests{
+		set:  make(map[string]bool),
+		lock: sync.RWMutex{},
+	}
+	return &ec2ProviderImpl{
+		ec2:                &MockEc2Client{},
+		privateDNSCache:    dnsCache,
+		ec2Requests:        ec2Requests,
+		instanceIdsChannel: make(chan string, maxChannelSize),
+	}
+
+}
+
+func (c *MockEc2Client) DescribeInstances(ctx context.Context, in *ec2.DescribeInstancesInput, opts ...func(*ec2.Options)) (*ec2.DescribeInstancesOutput, error) {
+	// simulate the time it takes for aws to return
+	time.Sleep(DescribeDelay * time.Millisecond)
+	var reservations []ec2types.Reservation
+	for _, res := range c.Reservations {
+		var reservation ec2types.Reservation
+		for _, inst := range res.Instances {
+			for _, id := range in.InstanceIds {
+				if id == aws.ToString(inst.InstanceId) {
+					reservation.Instances = append(reservation.Instances, inst)
+				}
+			}
+		}
+		if len(reservation.Instances) > 0 {
+			reservations = append(reservations, reservation)
+		}
+	}
+	return &ec2.DescribeInstancesOutput{
+		Reservations: reservations,
+	}, nil
+}
+
+func (c *MockEc2Client) DescribeRegions(ctx context.Context, params *ec2.DescribeRegionsInput, optFns ...func(*ec2.Options)) (*ec2.DescribeRegionsOutput, error) {
+	if c.Regions == nil {
+		return &ec2.DescribeRegionsOutput{}, nil
+	}
+	return &ec2.DescribeRegionsOutput{Regions: c.Regions}, nil
+}

pkg/ec2provider/ec2provider_test.go

@@ -10,66 +10,16 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/credentials"
-	"github.com/aws/aws-sdk-go-v2/service/ec2"
 	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/prometheus/client_golang/prometheus"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/metrics"
 )
 
-const (
-	DescribeDelay = 100
-)
-
-type mockEc2Client struct {
-	EC2API
-	Reservations []*ec2types.Reservation
-}
-
-func (c *mockEc2Client) DescribeInstances(ctx context.Context, in *ec2.DescribeInstancesInput, opts ...func(*ec2.Options)) (*ec2.DescribeInstancesOutput, error) {
-	// simulate the time it takes for aws to return
-	time.Sleep(DescribeDelay * time.Millisecond)
-	var reservations []ec2types.Reservation
-	for _, res := range c.Reservations {
-		var reservation ec2types.Reservation
-		for _, inst := range res.Instances {
-			for _, id := range in.InstanceIds {
-				if id == aws.ToString(inst.InstanceId) {
-					reservation.Instances = append(reservation.Instances, inst)
-				}
-			}
-		}
-		if len(reservation.Instances) > 0 {
-			reservations = append(reservations, reservation)
-		}
-	}
-	return &ec2.DescribeInstancesOutput{
-		Reservations: reservations,
-	}, nil
-}
-
-func newMockedEC2ProviderImpl() *ec2ProviderImpl {
-	dnsCache := ec2PrivateDNSCache{
-		cache: make(map[string]string),
-		lock:  sync.RWMutex{},
-	}
-	ec2Requests := ec2Requests{
-		set:  make(map[string]bool),
-		lock: sync.RWMutex{},
-	}
-	return &ec2ProviderImpl{
-		ec2:                &mockEc2Client{},
-		privateDNSCache:    dnsCache,
-		ec2Requests:        ec2Requests,
-		instanceIdsChannel: make(chan string, maxChannelSize),
-	}
-
-}
-
 func TestGetPrivateDNSName(t *testing.T) {
 	metrics.InitMetrics(prometheus.NewRegistry())
 	ec2Provider := newMockedEC2ProviderImpl()
-	ec2Provider.ec2 = &mockEc2Client{Reservations: prepareSingleInstanceOutput()}
+	ec2Provider.ec2 = &MockEc2Client{Reservations: prepareSingleInstanceOutput()}
 	go ec2Provider.StartEc2DescribeBatchProcessing(context.TODO())
 	dns_name, err := ec2Provider.GetPrivateDNSName(context.TODO(), "ec2-1")
 	if err != nil {
@@ -102,7 +52,7 @@ func TestGetPrivateDNSNameWithBatching(t *testing.T) {
 	metrics.InitMetrics(prometheus.NewRegistry())
 	ec2Provider := newMockedEC2ProviderImpl()
 	reservations := prepare100InstanceOutput()
-	ec2Provider.ec2 = &mockEc2Client{Reservations: reservations}
+	ec2Provider.ec2 = &MockEc2Client{Reservations: reservations}
 	go ec2Provider.StartEc2DescribeBatchProcessing(context.TODO())
 	var wg sync.WaitGroup
 	for i := 1; i < 101; i++ {

pkg/server/server.go

@@ -30,6 +30,7 @@ import (
 
 	awsconfig "github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
+	"github.com/aws/aws-sdk-go-v2/service/ec2"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/config"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/ec2provider"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/errutil"
@@ -215,9 +216,10 @@ func (c *Server) getHandler(ctx context.Context, backendMapper BackendMapper, ec
 	} else {
 		instanceRegion = instanceRegionOutput.Region
 	}
+	ec2Client := ec2.NewFromConfig(cfg)
 
 	h := &handler{
-		verifier:                  token.NewVerifier(c.ClusterID, c.PartitionID, instanceRegion),
+		verifier:                  token.NewVerifier(ctx, c.ClusterID, c.PartitionID, instanceRegion, ec2Client),
 		ec2Provider:               ec2provider.New(ctx, c.ServerEC2DescribeInstancesRoleARN, c.SourceARN, instanceRegion, ec2DescribeQps, ec2DescribeBurst),
 		clusterID:                 c.ClusterID,
 		backendMapper:             backendMapper,