{"id":7202,"library":"eks-token","title":"EKS Token","description":"eks-token is a Python library that provides an alternative to the `aws eks get-token` CLI command, allowing programmatic generation of authentication tokens for Amazon EKS clusters. It is currently at version 0.3.0 and is actively maintained, with releases typically tied to feature enhancements or dependency updates.","status":"active","version":"0.3.0","language":"en","source_language":"en","source_url":"https://github.com/peak-ai/eks-token","tags":["aws","eks","kubernetes","authentication","token","boto3","cli-alternative"],"install":[{"cmd":"pip install eks-token","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Used for interacting with AWS services to generate EKS authentication tokens.","package":"boto3","optional":false},{"reason":"Relies on AWS CLI configuration for credentials, although it replaces direct CLI calls.","package":"awscli","optional":true}],"imports":[{"symbol":"get_token","correct":"from eks_token import get_token"}],"quickstart":{"code":"import os\nfrom eks_token import get_token\nfrom pprint import pprint\n\n# Replace with your EKS cluster name. Can also be set via an environment variable.\ncluster_name = os.environ.get('EKS_CLUSTER_NAME', 'your-eks-cluster-name')\n\nif cluster_name == 'your-eks-cluster-name':\n    print(\"Please set the EKS_CLUSTER_NAME environment variable or update the 'cluster_name' variable in the script.\")\nelse:\n    try:\n        # Get the token for the specified EKS cluster\n        response = get_token(cluster_name=cluster_name)\n        pprint(response)\n\n        # Extract the token string\n        token = response['status']['token']\n        print(f\"\\nExtracted EKS Token: {token[:30]}...{token[-5:]}\")\n\n        # Example of getting token for a specific IAM role (optional)\n        # role_arn = os.environ.get('EKS_ROLE_ARN', 'arn:aws:iam::123456789012:role/YourEKSViewerRole')\n        # if role_arn != 'arn:aws:iam::123456789012:role/YourEKSViewerRole':\n        #     token_with_role = get_token(cluster_name=cluster_name, role_arn=role_arn)['status']['token']\n        #     print(f\"\\nToken with role: {token_with_role[:30]}...{token_with_role[-5:]}\")\n\n    except Exception as e:\n        print(f\"An error occurred: {e}\")\n        print(\"Ensure your AWS credentials are configured and you have permissions to describe the EKS cluster.\")","lang":"python","description":"This quickstart demonstrates how to use `eks-token` to retrieve an EKS authentication token. It shows basic usage with a cluster name and illustrates how to extract the actual token string. Ensure your AWS credentials are configured (e.g., via `~/.aws/credentials` or environment variables) and you have the necessary IAM permissions to interact with EKS. The `apiVersion` in the output now reflects `v1beta1` as of `eks-token` v0.2.0."},"warnings":[{"fix":"Ensure any Kubernetes client code consuming the output of `eks-token` is compatible with `client.authentication.k8s.io/v1beta1`. Most modern Kubernetes client libraries should support this.","message":"The API version for the generated `ExecCredential` object was updated from `client.authentication.k8s.io/v1alpha1` to `client.authentication.k8s.io/v1beta1`.","severity":"breaking","affected_versions":">=0.2.0"},{"fix":"Verify your AWS CLI is installed and configured correctly by running `aws sts get-caller-identity`. Ensure the IAM principal has permissions for `eks:DescribeCluster` and `sts:GetCallerIdentity` for the target EKS cluster.","message":"The `eks-token` library relies on properly configured AWS credentials, typically through the `awscli` configuration or environment variables, even though it bypasses direct `aws eks get-token` CLI execution. Without valid credentials, it will fail to obtain a token.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Upgrade to `eks-token` version 0.1.4 or newer. This version fixed the issue by requiring a minimum AWS CLI version rather than an exact one, improving compatibility.","message":"Older versions of `eks-token` (prior to v0.1.4) had a strict dependency on an exact `awscli` version, which could lead to installation or runtime issues if the user's installed `awscli` did not match.","severity":"gotcha","affected_versions":"<0.1.4"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Refresh your AWS credentials. For AWS CLI, you might need to re-authenticate (e.g., `aws sso login` or renew your temporary credentials).","cause":"Your AWS temporary credentials (e.g., from an assumed role or SSO) have expired.","error":"An error occurred: An error occurred (ExpiredTokenException) when calling the GetCallerIdentity operation: The security token included in the request is expired"},{"fix":"Grant `eks:DescribeCluster` permission to the IAM user or role. Additionally, ensure the principal has `sts:GetCallerIdentity` permission.","cause":"The IAM principal (user or role) attempting to get the EKS token does not have the necessary permissions (`eks:DescribeCluster`) for the specified EKS cluster.","error":"An error occurred: An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::123456789012:user/your-user is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:REGION:123456789012:cluster/your-eks-cluster-name because no identity-based policy allows the eks:DescribeCluster action"},{"fix":"Ensure AWS credentials are configured. This can be done by setting environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`), configuring the AWS CLI (`aws configure`), or using an IAM role for EC2 instances/EKS pods.","cause":"The Python environment or the underlying `boto3` library cannot find any AWS credentials configured.","error":"An error occurred: No credentials found to sign the token."}]}