fix(pricing): honor AWS profile and reuse resolved credentials#523
Closed
cesar32az wants to merge 1 commit into
Closed
fix(pricing): honor AWS profile and reuse resolved credentials#523cesar32az wants to merge 1 commit into
cesar32az wants to merge 1 commit into
Conversation
The pricing provider built a brand-new AWS config via LoadDefaultConfig
inside NewPricingClient, ignoring the credentials already resolved for the
EC2 client. It also had no way to select an AWS profile, so users on AWS
SSO / IAM Identity Center hit "no EC2 IMDS role found" while kubectl (which
resolves its own profile via the kubeconfig exec plugin) worked fine.
- Add a --profile flag (and `profile` config-file key) to select the AWS
profile; falls back to the standard credential chain (AWS_PROFILE, shared
config) when empty.
- Drop the no-op WithSharedConfigProfile("") in main.
- NewPricingClient now copies the resolved config and only overrides the
region to a pricing-API-capable one, so the configured profile / SSO
session is honored for pricing too.
- Document the flag and the IMDS troubleshooting case in the README.
Fixes #477
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Author
|
Closing in favor of #383, which already addresses AWS profile/region resolution for pricing (deriving them from the kube context). Apologies for the duplicate. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes #477.
When the AWS SDK's default credential chain can't resolve usable credentials for the active profile, pricing lookups fall back to EC2 IMDS and fail on a laptop:
This is common with AWS SSO / IAM Identity Center:
kubectlworks because its kubeconfigexecplugin (aws eks get-token) resolves its own profile, buteks-node-viewerloads a separate SDK config that has no way to select a profile, so it ends at IMDS.There were two related gaps:
eks-node-viewerwhich AWS profile to use — only the ambientAWS_PROFILEenv var.NewPricingClientbuilt a brand-new config viaLoadDefaultConfiginstead of reusing the credentials already resolved for the EC2 client, so even a correctly-resolved config wasn't propagated to the Pricing API client.Changes
--profileflag (and aprofilekey for the~/.eks-node-viewerconfig file) to select the AWS profile used for pricing/EC2 calls. When empty, the standard credential chain is used (AWS_PROFILE, shared config, etc.), so existing behavior is unchanged.NewPricingClientnow copies the already-resolvedaws.Configand only overrides the region to a pricing-API-capable one, so the configured profile / SSO session is honored consistently across the EC2 and Pricing clients.config.WithSharedConfigProfile("")inmain.Testing
go build ./cmd/... ./pkg/...,go vet,go test ./cmd/... ./pkg/...all pass. Addedpkg/aws/pricing_test.gocovering the region mapping and thatNewPricingClientdoesn't mutate the caller's config.--profile <name>: pricing updated from the static baseline to live values with no IMDS/credential errors in the logs.--profiletakes precedence over a bogusAWS_PROFILEenv var, and that the flag is rejected by the released binary (confirming it's net-new).By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.