What are the differences between tokens generated by `aws-iam-authenticator` and `aws eks get-token` when authenticate to kubernetes-dashboard?

Question

kubectl is using aws eks get-token and works perfectly.

But when I try to login to kubernetes-dashboard with the token generated below I get Unauthorized (401): Invalid credentials provided:

AWS_PROFILE=MYPROFILE aws eks get-token --cluster-name myclustername | jq -r '.status.token'

But if I use the token generated with:

AWS_PROFILE=MYPROFILE aws-iam-authenticator -i myclustername token --token-only

then I can login to kubernetes-dashboard.

So in which way are those tokens different? I thought they were equivalent.

Answer 1

There should be not difference between the tokens generated by aws-iam-authenticator or aws eks get-token.

Make sure that you spelled the cluster name right in both commands as you can generate tokens for clusters that do not exist.

Double check that both commands authenticate:

kubectl --token=`AWS_PROFILE=MYPROFILE aws-iam-authenticator -i MYCLUSTERNAME  token --token-only` get nodes
kubectl --token=`AWS_PROFILE=MYPROFILE aws --region eu-north-1 eks get-token --cluster-name MYCLUSTERNAME | jq -r '.status.token'` get nodes

Sometimes is very easy to misspell the cluster name and the tools will happily generate a token for it without producing any visible error or warning.