fix(eks): forward stored AWS integration credentials to k8s client builder

weichao · weichao · commit b03928d55b33 · 2026-04-26T10:49:38.000Z
Fixes Tracer-Cloud#969. Follow-up to Tracer-Cloud#724. Problem ------- PR Tracer-Cloud#724 let EKS be detected when the AWS integration is configured with stored IAM user credentials (access_key_id + secret_access_key, no role_arn), but build_k8s_clients still had no way to use those stored credentials. After Tracer-Cloud#724 it supports: 1. role_arn -> STS AssumeRole 2. ambient botocore chain (env / shared config / instance profile / IRSA) The stored integration credentials (persisted by resolve_integrations and surfaced in _eks_int['credentials']) were silently dropped. On hosts that happen to have ambient credentials pointing elsewhere, this picks up the wrong principal; on hosts without ambient credentials the call fails entirely, even though the integration has perfectly usable keys. Fix (approach Tracer-Cloud#2, pre-approved by Greptile in PR Tracer-Cloud#724 review) ------------------------------------------------------------- Forward the stored credentials through the existing eks_params pipeline: * detect_sources.py: set eks_params['credentials'] = _eks_int.get( 'credentials') or None alongside the other EKS integration fields. * eks_k8s_client.build_k8s_clients: accept an optional credentials kwarg. Resolution priority: 1. explicit credentials kwarg (stored-integration, new) 2. role_arn AssumeRole (existing production path) 3. ambient botocore chain (Tracer-Cloud#724 fallback) The two secondary fixes from Tracer-Cloud#724 are preserved (empty SessionToken coerced to None, regional STS endpoint). Test plan --------- - py_compile passes on both files. - ruff check + ruff format clean on both files. - Regression safety: the role_arn (AssumeRole) and ambient-botocore branches are unchanged; the new explicit branch only runs when the credentials kwarg is truthy and has access_key_id + secret_access_key. Related ------- - Fixes Tracer-Cloud#969. - Follow-up to Tracer-Cloud#724. - Greptile pre-approved this approach in Tracer-Cloud#724 (comment)
diff --git a/app/nodes/plan_actions/detect_sources.py b/app/nodes/plan_actions/detect_sources.py
@@ -714,6 +714,12 @@ def detect_sources(
                 "role_arn": _eks_int.get("role_arn", ""),
                 "external_id": _eks_int.get("external_id", ""),
                 "cluster_names": _eks_int.get("cluster_names", []),
+                # Forward stored AWS integration credentials so build_k8s_clients
+                # can use them explicitly instead of silently missing them when
+                # the AWS integration is configured with IAM user credentials
+                # (access_key_id + secret_access_key, no role_arn). Follow-up
+                # to #724 (stored-integration credential forwarding).
+                "credentials": _eks_int.get("credentials") or None,
             }
             if _has_injected_eks_backend:
                 # Backend-only path: only fixture-aware EKS tools should activate,
diff --git a/app/services/eks/eks_k8s_client.py b/app/services/eks/eks_k8s_client.py
@@ -40,10 +40,10 @@ def _generate_eks_token(cluster_name: str, assumed_creds: dict[str, Any], region
     creds = botocore.credentials.Credentials(
         access_key=assumed_creds["AccessKeyId"],
         secret_key=assumed_creds["SecretAccessKey"],
-        token=assumed_creds["SessionToken"],
+        token=assumed_creds["SessionToken"] or None,
     )
 
-    sts_url = "https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15"
+    sts_url = f"https://sts.{region}.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15"
     request = botocore.awsrequest.AWSRequest(
         method="GET",
         url=sts_url,
@@ -76,21 +76,61 @@ def build_k8s_clients(
     role_arn: str,
     external_id: str,
     region: str,
+    credentials: dict[str, Any] | None = None,
 ) -> tuple[k8s_client.CoreV1Api, k8s_client.AppsV1Api]:
     """Assume role, describe cluster, build in-memory Kubernetes API clients.
 
+    Credential resolution priority:
+      1. Explicit `credentials` kwarg (stored AWS integration IAM user creds).
+      2. `role_arn` → STS AssumeRole (existing behaviour).
+      3. Ambient botocore chain (env AK/SK, shared config, instance profile / IRSA).
+
     Returns (CoreV1Api, AppsV1Api) ready to query pods, events, nodes, deployments.
     No kubeconfig file is written to disk.
     """
-    assumed = _assume_role(role_arn, external_id, "TracerEKSK8sInvestigation")
+    if credentials and credentials.get("access_key_id") and credentials.get("secret_access_key"):
+        # Explicit stored-integration credentials path (highest priority).
+        # Matches the catalog + resolve_integrations flow: the AWS integration
+        # is configured with IAM user creds (access_key_id + secret_access_key),
+        # possibly with a session_token, and no role_arn. Previously these
+        # silently fell through to the ambient botocore chain which missed
+        # the stored values entirely when ambient creds were also set but
+        # pointed elsewhere.
+        logger.info("[eks] Using explicit stored-integration AWS credentials")
+        assumed = {
+            "AccessKeyId": credentials["access_key_id"],
+            "SecretAccessKey": credentials["secret_access_key"],
+            "SessionToken": credentials.get("session_token") or "",
+        }
+    elif role_arn:
+        assumed = _assume_role(role_arn, external_id, "TracerEKSK8sInvestigation")
+    else:
+        # No role_arn and no explicit creds: fall back to ambient AWS
+        # credentials (env AK/SK, shared config profile, or instance profile
+        # / IRSA). Preserves the #724 fallback behaviour.
+        logger.info("[eks] No role_arn or explicit credentials; using ambient AWS credentials")
+        import botocore.session as _bsession
+
+        sess = _bsession.get_session()
+        ambient = sess.get_credentials()
+        if ambient is None:
+            msg = "No AWS credentials available for EKS investigation"
+            logger.error("[eks] %s", msg)
+            raise RuntimeError(msg)
+        frozen = ambient.get_frozen_credentials()
+        assumed = {
+            "AccessKeyId": frozen.access_key,
+            "SecretAccessKey": frozen.secret_key,
+            "SessionToken": frozen.token or "",
+        }
 
     logger.info("[eks] Describing cluster: %s in region %s", cluster_name, region)
     eks = boto3.client(
         "eks",
         region_name=region,
         aws_access_key_id=assumed["AccessKeyId"],
         aws_secret_access_key=assumed["SecretAccessKey"],
-        aws_session_token=assumed["SessionToken"],
+        aws_session_token=assumed["SessionToken"] or None,
     )
     cluster_info = eks.describe_cluster(name=cluster_name)["cluster"]
     endpoint = cluster_info["endpoint"]
