🌱 Migrate sts to sdk v2

[alexander-demicev]

What type of PR is this?

/kind cleanup
/kind deprecation

What this PR does / why we need it:

This PR migrates sts to sdk v2. There are still some leftovers in identity package that can only be removed once all SDK migration is done.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #5413

Special notes for your reviewer:

Checklist:

• squashed commits
• includes documentation
• includes emoji in title
• adds unit tests
• adds or updates e2e tests

Release note:

Migrate sts to sdk v2

[alexander-demicev]

/test pull-cluster-api-provider-aws-e2e-eks
/test pull-cluster-api-provider-aws-e2e

[alexander-demicev]

/test pull-cluster-api-provider-aws-e2e-eks
/test pull-cluster-api-provider-aws-e2e

[nrb]

/retest

Couldn't allocate a testing account

[nrb]

Really only one change that I can see that's needed, thanks!

[alexander-demicev]

/test pull-cluster-api-provider-aws-e2e-eks
/test pull-cluster-api-provider-aws-e2e

[alexander-demicev]

I'm running into an issue where connecting EKS clusters is failing after the change. I suspect it's related to the token that's being generated. I'm not an expert in EKS internals, but I noticed a difference in how the AWS SDK v1 vs v2 generates the token:

• v1 uses the global STS endpoint - sts.amazonaws.com, us-east-1
• v2 defaults to the regional STS endpoint - sts.$(MY_REGION).amazonaws.com)
• v1 explicitly sets the expiration, with v2 I wasn't to figure it out

[damdo]

Hm maybe @punkwalker can help @alexander-demicev ?

[punkwalker]

Hm maybe @punkwalker can help @alexander-demicev ?

I'm running into an issue where connecting EKS clusters is failing after the change. I suspect it's related to the token that's being generated. I'm not an expert in EKS internals, but I noticed a difference in how the AWS SDK v1 vs v2 generates the token:

• v1 uses the global STS endpoint - sts.amazonaws.com, us-east-1
• v2 defaults to the regional STS endpoint - sts.$(MY_REGION).amazonaws.com)
• v1 explicitly sets the expiration, with v2 I wasn't to figure it out

I will take a look at how CAPA does token generation but here is some reference - https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/325c38ccbbd395e3bf612205809af77fe3f923ce/pkg/token/token.go#L227

With V2, STS uses regional endpoint so the generated token should target regional endpoint. Also, STS token expiration is default 15 mins with V2 as well.
Note: EKS uses aws-iam-authenticator on server side for token validation.

[punkwalker]

@alexander-demicev I suspect issue with this custom middleware - https://github.com/alexander-demicev/cluster-api-provider-aws/blob/e8f43555098a3c7d88707dd50d14b377158e619f/pkg/cloud/services/eks/config.go#L303

Instead, can we use this pattern for adding header?
https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/325c38ccbbd395e3bf612205809af77fe3f923ce/pkg/token/token.go#L367

[alexander-demicev]

/test pull-cluster-api-provider-aws-e2e-eks
/test pull-cluster-api-provider-aws-e2e

[damdo]

Invalid token flake:

/test pull-cluster-api-provider-aws-e2e-eks

[punkwalker]

/test pull-cluster-api-provider-aws-e2e

[damdo]

/test pull-cluster-api-provider-aws-e2e

[damdo]

Thanks a lot @alexander-demicev

/lgtm

/assign @richardcase @nrb @AndiDog @dlipovetsky

for approval

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 019c0dcf6215d0f88dc7ae8ae2c17b355ceef87f

[richardcase]

Thanks for this @alexander-demicev

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: richardcase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [richardcase]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[damdo]

/retest