Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Getting "Unable to cache credential: <nil>" when using version 0.6.28 #776

Open
Kevinbarre opened this issue Nov 20, 2024 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@Kevinbarre
Copy link

What happened?

Following my organisation procedure to cache the credentials using aws-iam-authenticator, I was constantly getting the error Unable to cache credential: <nil> after each kubectl command. For instance:

→ ~ kubectl get pods
Cache file /home/kbarre/.kube/cache/aws-iam-authenticator/credentials.yaml does not exist.
No cached credential available.  Refreshing...
Unable to cache credential: <nil>

What you expected to happen?

I was expecting to instead receive the message Updated cached credential

Anything else we need to know?

I tried using the previous version 0.6.27 and it worked correctly with it.

→ ~ kubectl get pods
Cache file /home/kbarre/.kube/cache/aws-iam-authenticator/credentials.yaml does not exist.
No cached credential available.  Refreshing...
Updated cached credential

So I assume there is a regression on latest 0.6.28 version

Installation done by copying the binary aws-iam-authenticator_0.6.28_linux_amd64 from https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/tag/v0.6.28 in /usr/local/bin/

Installation tooling

other (please specify in description)

AWS IAM Authenticator client version

{"Version":"0.6.28","Commit":"2e9e69bd8253b87e08b937d59b1a2b8593942d13"}

Client information

- OS/arch: Ubuntu 22.04.5 LTS x86_64
- kubernetes client & version: kubectl v1.31.0

Kubernetes API Version

Server Version: v1.30.4-eks-a737599

kubeconfig user

[
    {
        "name": "REDACTED",
        "user": {
            "exec": {
                "apiVersion": "client.authentication.k8s.io/v1beta1",
                "args": [
                    "token",
                    "--cache",
                    "--region",
                    "REDACTED",
                    "-i",
                    "REDACTED"
                ],
                "command": "aws-iam-authenticator",
                "env": [
                    {
                        "name": "AWS_PROFILE",
                        "value": "REDACTED"
                    }
                ],
                "interactiveMode": "IfAvailable",
                "provideClusterInfo": false
            }
        }
    }
]
@Kevinbarre Kevinbarre added kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Nov 20, 2024
kanwren added a commit to kanwren/aws-iam-authenticator that referenced this issue Dec 4, 2024
Fixes a bug introduced during the refactor in
e92213c, which incorrectly inverted the
previous credential expirability checking logic. This caused errors
about being unable to cache otherwise cachable credentials.

Also changes the error log around the previous expirability check site
to no longer log the error that previously came from the `ExpiresAt()`
check; since this is now the wrong `err`, it's always `nil`.

Addresses kubernetes-sigs#776
kanwren added a commit to kanwren/aws-iam-authenticator that referenced this issue Dec 4, 2024
Fixes a bug introduced during the refactor in
e92213c, which incorrectly inverted the
previous credential expirability checking logic. This caused errors
about being unable to cache otherwise cachable credentials.

Also changes the error log around the previous expirability check site
to no longer log the error that previously came from the `ExpiresAt()`
check; since this is now the wrong `err`, it's always `nil`.

Addresses kubernetes-sigs#776
kanwren added a commit to kanwren/aws-iam-authenticator that referenced this issue Dec 4, 2024
Fixes a bug introduced during the refactor in
e92213c, which incorrectly inverted the
previous credential expirability checking logic. This caused errors
about being unable to cache otherwise cachable credentials.

Also changes the error log around the previous expirability check site
to no longer log the error that previously came from the `ExpiresAt()`
check; since this is now the wrong `err`, it's always `nil`.

Addresses kubernetes-sigs#776
@afinit
Copy link

afinit commented Dec 12, 2024

I am also experiencing this problem with v0.6.28 and was able to get around the problem by downgrading to v0.6.27. I also noticed that if i do not set AWS_PROFILE, then it works just fine with the default profile. I'm able to verify that by checking the cached credentials.

I was testing this by running from the command line. The first works, the second errors with the title error

## default profile
aws-iam-authenticator token -i fancy-cluster-id-here --cache

## nondefault profile
EXPORT AWS_PROFILE=nondefault
aws-iam-authenticator token -i fancy-cluster-id-here --cache

Client Information

- OS/arch: MacOS 15.1.1
- kubernetes client & version: kubectl v1.32.0

kanwren added a commit to kanwren/aws-iam-authenticator that referenced this issue Jan 7, 2025
Fixes a bug introduced during the refactor in
e92213c, which incorrectly inverted the
previous credential expirability checking logic. This caused errors
about being unable to cache otherwise cachable credentials.

Also changes the error log around the previous expirability check site
to no longer log the error that previously came from the `ExpiresAt()`
check; since this is now the wrong `err`, it's always `nil`.

Addresses kubernetes-sigs#776
kanwren added a commit to kanwren/aws-iam-authenticator that referenced this issue Jan 7, 2025
Fixes a bug introduced during the refactor in
e92213c, which incorrectly inverted the
previous credential expirability checking logic. This caused errors
about being unable to cache otherwise cachable credentials.

Also changes the error log around the previous expirability check site
to no longer log the error that previously came from the `ExpiresAt()`
check; since this is now the wrong `err`, it's always `nil`.

Addresses kubernetes-sigs#776
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Development

No branches or pull requests

2 participants