x-k8s-aws-id included in the header, but gives Invalid query parameter x-k8s-aws-id

[rchamarthi]

Hello, I am trying to generate a eks token from dotnet code, which will then be used to create a k8s client. I am following the instructions here and trying to implement the same code in c#. I am getting unauthorized error and the reason is that the token is malformed.

When I add the x-k8s-aws-id in the headers using

req.Headers.Add("x-k8s-aws-id", clusterName);

I get the following error (even though it is not added to a query parameter as the error suggests). Adding it in query parameters using req.Parameters.Add gives the same error, which is expected.

time="2022-05-28T06:49:27Z" level=warning msg="access denied" client="127.0.0.1:46940" error="input token was not properly formatted: non-whitelisted query parameter \"x-k8s-aws-id\"" method=POST path=/authenticate

When I don't include the x-k8s-aws-id in the query string or parameter, I see the following issue, which is expected.

client did not sign the x-k8s-aws-id header in the pre-signed URL

I logged the URL before it is encoded and I don't see any query parameter with x-k8s-aws-id as the key.

https://sts.us-east-2.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15&X-Amz-Expires=900&X-Amz-Security-Token=IQoJb3...DohRL
&X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Credential=ASIA........I4H4/20220528/us-east-1/sts/aws4_request
&X-Amz-Date=20220528T063607Z
&X-Amz-SignedHeaders=host
&X-Amz-Signature=3b4fec....2c21e

[rchamarthi]

After some tricky debugging, I found that this was because the signed headers query parameter had a semicolon in the value (;), which was causing an exception in the way the query parameter was being read.

X-Amz-SignedHeaders=host;x-k8s-aws-id

Once I URL encoded the query parameter values, it was interpreted correctly.