EKS Token

0.3.0 · active · verified Thu Apr 16

eks-token is a Python library that provides an alternative to the `aws eks get-token` CLI command, allowing programmatic generation of authentication tokens for Amazon EKS clusters. It is currently at version 0.3.0 and is actively maintained, with releases typically tied to feature enhancements or dependency updates.

Common errors

```
An error occurred: An error occurred (ExpiredTokenException) when calling the GetCallerIdentity operation: The security token included in the request is expired
```
cause Your AWS temporary credentials (e.g., from an assumed role or SSO) have expired.

fix Refresh your AWS credentials. For AWS CLI, you might need to re-authenticate (e.g., `aws sso login` or renew your temporary credentials).

An error occurred: An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::123456789012:user/your-user is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:REGION:123456789012:cluster/your-eks-cluster-name because no identity-based policy allows the eks:DescribeCluster action

cause The IAM principal (user or role) attempting to get the EKS token does not have the necessary permissions (`eks:DescribeCluster`) for the specified EKS cluster.

fix

Grant `eks:DescribeCluster` permission to the IAM user or role. Additionally, ensure the principal has `sts:GetCallerIdentity` permission.

```
An error occurred: No credentials found to sign the token.
```
cause The Python environment or the underlying `boto3` library cannot find any AWS credentials configured.

fix Ensure AWS credentials are configured. This can be done by setting environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`), configuring the AWS CLI (`aws configure`), or using an IAM role for EC2 instances/EKS pods.

Warnings

breaking The API version for the generated `ExecCredential` object was updated from `client.authentication.k8s.io/v1alpha1` to `client.authentication.k8s.io/v1beta1`.
Fix: Ensure any Kubernetes client code consuming the output of `eks-token` is compatible with `client.authentication.k8s.io/v1beta1`. Most modern Kubernetes client libraries should support this.
gotcha The `eks-token` library relies on properly configured AWS credentials, typically through the `awscli` configuration or environment variables, even though it bypasses direct `aws eks get-token` CLI execution. Without valid credentials, it will fail to obtain a token.
Fix: Verify your AWS CLI is installed and configured correctly by running `aws sts get-caller-identity`. Ensure the IAM principal has permissions for `eks:DescribeCluster` and `sts:GetCallerIdentity` for the target EKS cluster.
gotcha Older versions of `eks-token` (prior to v0.1.4) had a strict dependency on an exact `awscli` version, which could lead to installation or runtime issues if the user's installed `awscli` did not match.
Fix: Upgrade to `eks-token` version 0.1.4 or newer. This version fixed the issue by requiring a minimum AWS CLI version rather than an exact one, improving compatibility.

Install

pip install eks-token Install latest version

Imports

get_token
```
from eks_token import get_token
```

Quickstart

This quickstart demonstrates how to use `eks-token` to retrieve an EKS authentication token. It shows basic usage with a cluster name and illustrates how to extract the actual token string. Ensure your AWS credentials are configured (e.g., via `~/.aws/credentials` or environment variables) and you have the necessary IAM permissions to interact with EKS. The `apiVersion` in the output now reflects `v1beta1` as of `eks-token` v0.2.0.

import os
from eks_token import get_token
from pprint import pprint

# Replace with your EKS cluster name. Can also be set via an environment variable.
cluster_name = os.environ.get('EKS_CLUSTER_NAME', 'your-eks-cluster-name')

if cluster_name == 'your-eks-cluster-name':
    print("Please set the EKS_CLUSTER_NAME environment variable or update the 'cluster_name' variable in the script.")
else:
    try:
        # Get the token for the specified EKS cluster
        response = get_token(cluster_name=cluster_name)
        pprint(response)

        # Extract the token string
        token = response['status']['token']
        print(f"\nExtracted EKS Token: {token[:30]}...{token[-5:]}")

        # Example of getting token for a specific IAM role (optional)
        # role_arn = os.environ.get('EKS_ROLE_ARN', 'arn:aws:iam::123456789012:role/YourEKSViewerRole')
        # if role_arn != 'arn:aws:iam::123456789012:role/YourEKSViewerRole':
        #     token_with_role = get_token(cluster_name=cluster_name, role_arn=role_arn)['status']['token']
        #     print(f"\nToken with role: {token_with_role[:30]}...{token_with_role[-5:]}")

    except Exception as e:
        print(f"An error occurred: {e}")
        print("Ensure your AWS credentials are configured and you have permissions to describe the EKS cluster.")

view raw JSON →