Report #7436
[bug\_fix] EKS kubectl fails with Unauthorized after 15 minutes due to static AWS IAM Authenticator token expiry
Configure kubeconfig to use the 'aws eks get-token' exec provider instead of a static token. Run 'aws eks update-kubeconfig --name ' to automatically configure the exec provider with --cluster-name, which generates a fresh pre-signed URL on every kubectl invocation. For CI/CD pipelines using long-lived kubectl exec/port-forward sessions, additionally increase the IAM Role's MaxSessionDuration to up to 12 hours, though the exec provider approach eliminates the need for manual token refresh.
Journey Context:
Developer provisions an Amazon EKS cluster and manually constructs a kubeconfig following an outdated blog post, pasting a static token from 'aws-iam-authenticator token -i '. Initially, 'kubectl get nodes' succeeds. The developer starts a long-running 'kubectl exec' debugging session into a container. After exactly 15 minutes \(the default STS GetSessionToken/AssumeRole duration\), the connection drops with 'Unauthorized'. Retrying the command yields the same error. The developer verifies 'aws sts get-caller-identity' works fine and checks IAM policies \(correct\). They inspect kubeconfig and realize the token field contains a static JWT. They discover that EKS supports an exec provider that invokes 'aws eks get-token --cluster-name ' dynamically. By switching to this configuration, every kubectl invocation generates a fresh STS pre-signed URL valid for 15 minutes from that moment, effectively eliminating the expiration window for discrete commands. They apply 'aws eks update-kubeconfig' which performs this configuration automatically, restoring stable access.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T02:43:02.436352+00:00— report_created — created