o !d&@sddlZddlZddlZddlZddlZddlmZmZddlmZddl m Z ddl m Z ddl mZddlmZddlmZd Zd Zd Zd Zd ZdZdZeegZegZdZdZdZdZdZdZ dZ!GdddeZ"Gddde#Z$Gddde#Z%dS)N)datetime timedelta) RequestSigner) ServiceId) get_formatter) BasicCommand) uni_print)validate_mutually_exclusivestsZGetCallerIdentityz 2011-06-15v4z%client.authentication.k8s.io/v1alpha1z$client.authentication.k8s.io/v1beta1zclient.authentication.k8s.io/v1z{0} KUBERNETES_EXEC_INFO, defaulting to {1}. This is likely a bug in your Kubernetes client. Please update your Kubernetes client.zUnrecognized API version in KUBERNETES_EXEC_INFO, defaulting to {0}. This is likely due to an outdated AWS CLI. Please update your AWS CLI.zeKubeconfig user entry is using deprecated API version {0}. Run 'aws eks update-kubeconfig' to update.<z k8s-aws-v1.z x-k8s-aws-idc@sNeZdZdZdZddddddddd d ddgZd d Zd dZddZdS)GetTokenCommandz get-tokenz{Get a token for authentication with an Amazon EKS cluster. This can be used as an alternative to the aws-iam-authenticator.z cluster-namezSpecify the name of the Amazon EKS cluster to create a token for. (Note: for local clusters on AWS Outposts, please use --cluster-id parameter)F)nameZ help_textrequiredzrole-arna Assume this role for credentials when signing the token. Use this optional parameter when the credentials for signing the token differ from that of the current role session. Using this parameter results in new role session credentials that are used to sign the token.z cluster-idzoSpecify the id of the Amazon EKS cluster to create a token for. (Note: for local clusters on AWS Outposts only)cCstttd}|dS)N)minutesz%Y-%m-%dT%H:%M:%SZ)rutcnowrTOKEN_EXPIRATION_MINSstrftime)selftoken_expirationrGusr/lib/python3.10/site-packages/awscli/customizations/eks/get_token.pyget_expiration_timels z#GetTokenCommand.get_expiration_timec Cst|j}|j|j|jd}t|dgdg|jr|j}n |jr$|j}ntdSt | |}| }d| i||dd}|j } | durL|jd} t| |} |j| _| |j|td d S) N) region_namerole_arn cluster_name cluster_idzBEither parameter --cluster-name or --cluster-id must be specified.ZExecCredential)ZexpirationTimestamptoken)kind apiVersionspecstatusoutput r)STSClientFactory_sessionget_sts_clientZregionrr rr ValueErrorTokenGenerator get_tokenrdiscover_api_versionr#Zget_config_variablerqueryNAMEr) rZ parsed_argsZparsed_globalsZclient_factory sts_client identifierrrZ full_objectr# formatterrrr _run_mainrs6     zGetTokenCommand._run_maincCst}ddd}tjdd}|s|Szt|}Wntjy7tt |d|t j tdt j |YSw|d}|t vrC|S|t vrXtt |t j tdt j |Stt |t j tdt j |S) a Parses the KUBERNETES_EXEC_INFO environment variable and returns the API version. If the environment variable is malformed or invalid, return the v1beta1 response and print a message to stderr. If the v1alpha1 API is specified explicitly, a message is printed to stderr with instructions to update. :return: The client authentication API version :rtype: string z Error parsingEmpty)erroremptyZKUBERNETES_EXEC_INFOr3r$r )BETA_APIosenvirongetjsonloadsJSONDecodeErrorr ERROR_MSG_TPLformatsysstderrFULLY_SUPPORTED_API_VERSIONSDEPRECATED_API_VERSIONSDEPRECATION_MSG_TPLUNRECOGNIZED_MSG_TPL)rZfallback_api_versionZerror_prefixesZ exec_info_rawZ exec_infoZapi_version_rawrrrr+sB    z$GetTokenCommand.discover_api_versionN) __name__ __module__ __qualname__r-Z DESCRIPTIONZ ARG_TABLErr1r+rrrrrFs(  *rc@s$eZdZddZddZddZdS)r)cC ||_dSN) _sts_clientrr.rrr__init__ zTokenGenerator.__init__cCs.||}tt|ddd}|S)z2Generate a presigned url token to pass to kubectl.zutf-8=)_get_presigned_url TOKEN_PREFIXbase64urlsafe_b64encodeencodedecoderstrip)r k8s_aws_idurlrrrrr*s  zTokenGenerator.get_tokencCs|jjdt|itddS)NZget_caller_identityZGET)ZParamsZ ExpiresInZ HttpMethod)rJZgenerate_presigned_urlK8S_AWS_ID_HEADER URL_TIMEOUT)rrVrrrrOs z!TokenGenerator._get_presigned_urlN)rErFrGrLr*rOrrrrr)s r)c@s>eZdZddZdddZddZdd Zd d Zd d ZdS)r%cCrHrI)r&)rZsessionrrrrLrMzSTSClientFactory.__init__NcCs`d|i}|dur |||}|d|d<|d|d<|d|d<|jjd i|}|||S) NrZ AccessKeyIdZaws_access_key_idZSecretAccessKeyZaws_secret_access_keyZ SessionTokenZaws_session_tokenr )r )_get_role_credentialsr& create_client_register_k8s_aws_id_handlers)rrrZ client_kwargsZcredsr rrrr's     zSTSClientFactory.get_sts_clientcCs |jd|}|j|dddS)Nr ZEKSGetTokenAuth)ZRoleArnZRoleSessionNameZ Credentials)r&r[Z assume_role)rrrr rrrrZs z&STSClientFactory._get_role_credentialscCs(|jjd|j|jjd|jdS)Nz+provide-client-params.sts.GetCallerIdentityz!before-sign.sts.GetCallerIdentity)metaeventsregister_retrieve_k8s_aws_id_inject_k8s_aws_id_headerrKrrrr\sz.STSClientFactory._register_k8s_aws_id_handlerscKst|vr |t|t<dSdSrI)rXpop)rparamscontextkwargsrrrr`sz%STSClientFactory._retrieve_k8s_aws_idcKs"t|jvr|jt|jt<dSdSrI)rXrdheaders)rZrequestrerrrras z*STSClientFactory._inject_k8s_aws_id_header)NN) rErFrGrLr'rZr\r`rarrrrr%s   r%)&rQZbotocorer:r7r?rrZbotocore.signersrZbotocore.modelrZawscli.formatterrZawscli.customizations.commandsrZawscli.customizations.utilsrr Z AUTH_SERVICEZ AUTH_COMMANDZAUTH_API_VERSIONZAUTH_SIGNING_VERSIONZ ALPHA_APIr6ZV1_APIrArBr=rDrCrYrrPrXrobjectr)r%rrrrsL