Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
当我使用 Amazon EKS IAM 角色访问服务账户时,如何解决“InvalidIdentityToken”错误?
我的 Amazon Elastic Kubernetes Service(Amazon EKS)集群的指纹发生了变化,导致应用程序负载均衡器控制器更新失败。或者,我的 Amazon EKS 容器组(pod)因出现“InvalidIdentityToken”错误而处于故障状态。
解决方案
Amazon EKS 服务账户使用 OpenID Connect (OIDC) 进行身份验证。当您为 Amazon EKS 集群创建 AWS 身份和访问管理(IAM)OIDC 身份提供者(IdP)时,生成的指纹使用根证书。Amazon 根证书颁发机构(CA)的验证期约为 25 年。
您将在以下场景中收到“WebIdentityErr: failed to retrieve credentials\r\ncaused by: InvalidIdentityToken: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint\r\n”错误:
- OIDC 提供商中使用的指纹已过期。
- 指纹与 CA 不匹配。
要解决此问题并获取指纹,请安装和配置 OpenSSL 命令行工具。
查找 OIDC IdP 的网址
要查找 OIDC IdP 的网址,请完成以下步骤:
-
打开 Amazon EKS 控制台。
-
在导航窗格上,选择集群。
-
选择要查看的集群。
-
选择配置选项卡。
-
在详细信息部分下,记下 OICD IdP 网址。
**示例:**https://oidc.eks.us-east-1.amazonaws.com/id/1111222233334444555566667777888F/在 OICD IdP 网址的末尾加入 /.well-known/openid-configuration,以构成 IdP 配置文档的网址。
**示例:**https://oidc.eks.us-east-1.amazonaws.com/id/1111222233334444555566667777888F/.well-known/openid-configuration。在 Web 浏览器中访问此 URL,并记下输出中的 jwks\ _uri 值。浏览器的输出类似于以下内容:
{"issuer":"https://oidc.eks.us-east-1.amazonaws.com/id/1111222233334444555566667777888F","jwks_uri":"https://oidc.eks.us-east-1.amazonaws.com/id/1111222233334444555566667777888F/keys","authorization_endpoint":"urn:kubernetes:programmatic_authorization","response_types_supported":["id_token"],"subject_types_supported":["public"],"claims_supported":["sub","iss"],"id_token_signing_alg_values_supported":["RS256"]}
显示证书
使用 OpenSSL 命令行工具运行以下命令以显示所有使用的证书:
**注意:将 oidc. eks.us-east-2.amazonaws.com **替换为您的域名。
openssl s_client -connect oidc.eks.us-east-2.amazonaws.com:443 -showcerts
输出类似于以下内容:
[root@ip-172-31-1-202 ~]# openssl s_client -connect oidc.eks.us-east-2.amazonaws.com:443 -showcertsCONNECTED(00000003) depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority verify return:1 depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 verify return:1 depth=2 C = US, O = Amazon, CN = Amazon Root CA 1 verify return:1 depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon verify return:1 depth=0 CN = *.execute-api.us-east-2.amazonaws.com verify return:1 --- Certificate chain 0 s:/CN=*.execute-api.us-east-2.amazonaws.com i:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon -----BEGIN CERTIFICATE----- CERTIFICATE Redacted -----END CERTIFICATE----- 1 s:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon i:/C=US/O=Amazon/CN=Amazon Root CA 1 -----BEGIN CERTIFICATE----- CERTIFICATE Redacted -----END CERTIFICATE----- 2 s:/C=US/O=Amazon/CN=Amazon Root CA 1 i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2 -----BEGIN CERTIFICATE----- CERTIFICATE Redacted -----END CERTIFICATE----- 3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2 i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority -----BEGIN CERTIFICATE----- MIIEdTCCA12gAwIBAgIJAKcOSkw0grd/MA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV BAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIw MAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 eTAeFw0wOTA5MDIwMDAwMDBaFw0zNDA2MjgxNzM5MTZaMIGYMQswCQYDVQQGEwJV UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTElMCMGA1UE ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE7MDkGA1UEAxMyU3RhcmZp ZWxkIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVDDrEKvlO4vW+GZdfjohTsR8/ y8+fIBNtKTrID30892t2OGPZNmCom15cAICyL1l/9of5JUOG52kbUpqQ4XHj2C0N Tm/2yEnZtvMaVq4rtnQU68/7JuMauh2WLmo7WJSJR1b/JaCTcFOD2oR0FMNnngRo Ot+OQFodSk7PQ5E751bWAHDLUu57fa4657wx+UX2wmDPE1kCK4DMNEffud6QZW0C zyyRpqbn3oUYSXxmTqM6bam17jQuug0DuDPfR+uxa40l2ZvOgdFFRjKWcIfeAg5J Q4W2bHO7ZOphQazJ1FTfhy/HIrImzJ9ZVGif/L4qL8RVHHVAYBeFAlU5i38FAgMB AAGjgfAwge0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0O BBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMB8GA1UdIwQYMBaAFL9ft9HO3R+G9FtV rNzXEMIOqYjnME8GCCsGAQUFBwEBBEMwQTAcBggrBgEFBQcwAYYQaHR0cDovL28u c3MyLnVzLzAhBggrBgEFBQcwAoYVaHR0cDovL3guc3MyLnVzL3guY2VyMCYGA1Ud HwQfMB0wG6AZoBeGFWh0dHA6Ly9zLnNzMi51cy9yLmNybDARBgNVHSAECjAIMAYG BFUdIAAwDQYJKoZIhvcNAQELBQADggEBACMd44pXyn3pF3lM8R5V/cxTbj5HD9/G VfKyBDbtgB9TxF00KGu+x1X8Z+rLP3+QsjPNG1gQggL4+C/1E2DUBc7xgQjB3ad1 l08YuW3e95ORCLp+QCztweq7dp4zBncdDQh/U90bZKuCJ/Fp1U1ervShw3WnWEQt 8jxwmKy6abaVd38PMV4s/KCHOkdp8Hlf9BRUpJVeEXgSYCfOn8J3/yNTd126/+pZ 59vPr5KW7ySaNRB6nJHGDn2Z9j8Z3/VyVOEVqQdZe4O/Ui5GjLIAZHYcSNPYeehu VsyuLAOQ1xk4meTKCRlb/weWsKh/NEnfVqn3sF/tM+2MR7cEXAMPLE= -----END CERTIFICATE----- --- Server certificate subject=/CN=*.execute-api.us-east-2.amazonaws.com issuer=/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
如果您在输出中看到多个证书,则在输出末尾查找最后一个证书。最后一个证书是证书颁发机构链中的根 CA。
创建证书文件
创建证书文件(例如:certificate.crt),然后将最后一个证书的内容复制到该文件中。
然后,运行以下命令:
openssl x509 -in certificate.crt -text
输出类似于以下内容:
[root@ip-172-31-1-202 ~]# openssl x509 -in certificate.crt -textCertificate: Data: Version: 3 (0x2) Serial Number: a7:0e:4a:4c:34:82:b7:7f Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority Validity Not Before: Sep 2 00:00:00 2009 GMT Not After : Jun 28 17:39:16 2034 GMT
根据不早于和不晚于 字段中的值检查证书的有效性。在前面的输出中,CA 的有效期约为 25 年。
替换过期的证书
如果输出显示证书已过期,则必须使用 OIDC IdP 续订证书。
续订证书后,使用 OpenSSL 命令行工具运行以下命令以获取最新的指纹:
openssl x509 -in certificate.crt -fingerprint -noout
输出类似于以下内容:
SHA1 Fingerprint=9E:99:A4:8A:99:60:B1:49:26:BB:7F:3B:02:E2:2D:A2:B0:AB:72:80
从该字符串中删除冒号(:)以获得最后的指纹:
9E99A48A9960B14926BB7F3B02E22DA2B0AB7280
运行以下命令以获取最新的指纹:
$ openssl x509 -in certificate.crt -fingerprint -noout | sed s/://g
更新到最新的指纹
如果当前的指纹已过期,则使用 IAM 控制台或 AWS 命令行界面(AWS CLI)将其替换为最新的指纹。
**IAM 控制台 **
要使用 IAM 控制台,请完成以下步骤:
- 打开 IAM 控制台。
- 在导航窗格中,选择身份提供商。
- 选择要更新的 IdP。
- 在指纹部分,选择管理。
- 选择添加指纹,然后输入新值。
- 选择保存更改。
AWS CLI
**注意:**如果在运行 AWS 命令行界面 (AWS CLI) 命令时收到错误,请参阅 AWS CLI 错误故障排除。此外,确保您使用的是最新版本的 AWS CLI。
运行 AWS CLI 命令 update-open-id-connect-provider-thumbrint:
aws iam update-open-id-connect-provider-thumbprint --open-id-connect-provider-arn arn:aws:iam::111122223333:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5ECB2797CB1324A37FC79E3C46851CED --thumbprint-list 9E99A48A9960B14926BB7F3B02E22DA2B0AB7280
相关信息
- 语言
- 中文 (简体)
