Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) - Resolve "You must be logged in to the server (the server has asked for the client to provide credentials)"
by
Jeremy Canfield |
Updated: October 28 2023
| Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) articles
Let's say something like this is being returned.
error: You must be logged in to the server (the server has asked for the client to provide credentials)
I had this when using the aws eks get-token command to get an authentication token.
~]$ aws eks get-token --cluster-name my-cluster
{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"spec": {},
"status": {
"expirationTimestamp": "2023-10-23T20:29:08Z",
"token": "k8s-aws-v1.aHR0....zljYw"
}
}
And then including the --token option in kubectl.
~]# kubectl get pods --token <token goes here>
error: You must be logged in to the server (the server has asked for the client to provide credentials)
When using the AWS CLI to get the authentication token, by default, the connection will be made using the default profile in your AWS credentials file.
~]$ cat /home/john.doe/.aws/credentials
[default]
aws_secret_access_key = Xw3kZVaxTfvDKBMGf6R79Unf5LG4kdf9piuHfhn13
aws_access_key_id = 34VGB4HYOC2ABCO67BKD
aws sts get-caller-identity can be used to return the ID and ARN of the user.
~]$ aws sts get-caller-identity
{
"UserId": "ZCD152GB835DBD568ABD182",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/johndoe"
}
If you have access the CloudWatch Log Insights you can run the following query.
fields @logstream, @timestamp, @message
| sort @timestamp desc
| filter @logStream like /authenticator/
| filter @message like "username=kubernetes-admin"
| limit 50
Which should return something like this. In this example, arn:aws:iam::123456789012:role/admin-role is mapped to kubernetes-admin.
Field Value
@ingestionTime 1698988159189
@log 123456789012:/aws/eks/my-cluster/cluster
@logStream authenticator-26884bd4c008c7c613f6f0670b4f9a9f
@message time="2023-11-03T05:09:14Z" level=info msg="access granted" arn="arn:aws:iam::123456789012:role/admin-role" client="127.0.0.1:46870" groups="[system:masters]" method=POST path=/authenticate uid="aws-iam-authenticator:123456789012:AROAXMKSNBAOZOTCVGUFK" username=kubernetes-admin
@timestamp 1698988158328
Did you find this article helpful?
If so, consider buying me a coffee over at 