From 649ef915ba64bf160080199dbd06014ad70796ee Mon Sep 17 00:00:00 2001 From: hwayoungjun Date: Wed, 20 May 2026 23:34:28 +0900 Subject: [PATCH] fix: generate valid EKS authentication token payload Build the EKS bearer token from the presigned STS GetCallerIdentity URL directly instead of URL-encoding the whole presigned URL first. The AWS signer already returns a URL with encoded query parameters, and encoding the entire URL again makes the decoded token payload an encoded URL string rather than the presigned STS URL expected by EKS. Set the STS request path explicitly to "/" so the generated presigned URL matches the accepted EKS token payload shape. This fixes EKSAuthentication requests failing with 401 Unauthorized. --- .../kubernetes/client/util/credentials/EKSAuthentication.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/util/src/main/java/io/kubernetes/client/util/credentials/EKSAuthentication.java b/util/src/main/java/io/kubernetes/client/util/credentials/EKSAuthentication.java index afa180b918..9a9f268952 100644 --- a/util/src/main/java/io/kubernetes/client/util/credentials/EKSAuthentication.java +++ b/util/src/main/java/io/kubernetes/client/util/credentials/EKSAuthentication.java @@ -82,12 +82,13 @@ public void provide(ApiClient client) { private static String presignedUrlToEncodedUrl(String presignedUrl) { return Base64.getUrlEncoder() .withoutPadding() - .encodeToString(SdkHttpUtils.urlEncodeIgnoreSlashes(presignedUrl).getBytes(StandardCharsets.UTF_8)); + .encodeToString(presignedUrl.getBytes(StandardCharsets.UTF_8)); } private SdkHttpRequest generateStsRequest() { return SdkHttpRequest.builder() .uri(stsEndpoint) + .encodedPath("/") .putRawQueryParameter("Version", "2011-06-15") .putRawQueryParameter("Action", "GetCallerIdentity") .method(SdkHttpMethod.GET)