akhilesharora commented on code in PR #63020:
URL: https://github.com/apache/airflow/pull/63020#discussion_r2901565355
##########
providers/amazon/src/airflow/providers/amazon/aws/hooks/eks.py:
##########
@@ -678,3 +678,99 @@ def generate_config_file(
config_file.write(config_text)
config_file.flush()
yield config_file.name
+
+ def generate_config_dict_for_deferral(
+ self,
+ eks_cluster_name: str,
+ pod_namespace: str | None,
+ ) -> dict:
+ """
+ Generate a kubeconfig dict with embedded token for use in deferrable
mode.
+
+ This method generates a kubeconfig that uses a pre-fetched bearer
token instead of
+ an exec credential plugin. This is necessary for deferrable mode
because:
+ 1. The exec plugin references temp files that only exist on the worker
+ 2. The triggerer runs on a different host where those temp files don't
exist
+ 3. By embedding the token directly, the config can be serialized and
used anywhere
+
+ Note: The token has a limited lifetime (typically 14 minutes). The
triggerer should
+ complete its work within this window, or the trigger_reentry will
fetch fresh credentials.
+
+ :param eks_cluster_name: The name of the cluster to generate
kubeconfig for.
+ :param pod_namespace: The namespace to run within kubernetes.
+ :return: A kubeconfig dict with embedded bearer token.
+ """
+ from botocore.exceptions import ClientError
+
+ from airflow.providers.amazon.aws.utils.eks_get_token import
fetch_access_token_for_cluster
+
+ # Get cluster details
+ eks_client = self.conn
+ session = self.get_session()
+
+ try:
+ cluster = eks_client.describe_cluster(name=eks_cluster_name)
+ except ClientError as e:
+ raise ValueError(
+ f"Failed to describe EKS cluster '{eks_cluster_name}':
{e.response['Error']['Message']}"
+ ) from e
+
+ cluster_cert = cluster["cluster"]["certificateAuthority"]["data"]
+ cluster_ep = cluster["cluster"]["endpoint"]
+
+ # Generate the STS URL for token generation
+ os.environ["AWS_STS_REGIONAL_ENDPOINTS"] = "regional"
+ try:
+ sts_url =
f"{StsHook(region_name=session.region_name).conn_client_meta.endpoint_url}/?Action=GetCallerIdentity&Version=2011-06-15"
+ finally:
+ del os.environ["AWS_STS_REGIONAL_ENDPOINTS"]
+
Review Comment:
You're right, I've removed the env var manipulation entirely. Now
constructing the regional STS URL directly:
`https://sts.{region}.amazonaws.com/.... ` Also applied this fix to the
existing `generate_config_file` method for consistency.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
