Re: [PR] fix: EksPodOperator 401 with cross-account AssumeRole via aws_conn_id [airflow]

Mon, 11 May 2026 17:00:47 -0700 


ferruzzi commented on code in PR #65335:
URL: https://github.com/apache/airflow/pull/65335#discussion_r3222853635


##########
providers/amazon/src/airflow/providers/amazon/aws/hooks/eks.py:
##########
@@ -82,20 +82,25 @@ class NodegroupStates(Enum):
             # Load credentials from secure file using (POSIX-compliant dot 
operator)
             . {credentials_file}
 
+            # Redirect stderr to /dev/null to prevent Python warnings, 
deprecation
+            # notices, or other log output from contaminating stdout. The token
+            # output must be the ONLY thing on stdout for bash token parsing 
to work.
             output=$({python_executable} -m 
airflow.providers.amazon.aws.utils.eks_get_token \
-                --cluster-name {eks_cluster_name} --sts-url '{sts_url}' {args} 
2>&1)
+                --cluster-name {eks_cluster_name} --sts-url '{sts_url}' {args} 
2>/dev/null)

Review Comment:
   I may be missing something, but isn't this going to dump the error messages 
if there is an error and result in the user seeing `eks_get_token failed with 
exit code 1. Output was:` with no reason since it got tossed into `/dev/null`?  
Maybe as a compromise should we write to a tempfile and read that file back on 
error?  That way it's a clean output in the happy case and we still get the 
error messages?



##########
providers/amazon/src/airflow/providers/amazon/aws/hooks/eks.py:
##########
@@ -82,20 +82,25 @@ class NodegroupStates(Enum):
             # Load credentials from secure file using (POSIX-compliant dot 
operator)
             . {credentials_file}
 
+            # Redirect stderr to /dev/null to prevent Python warnings, 
deprecation
+            # notices, or other log output from contaminating stdout. The token
+            # output must be the ONLY thing on stdout for bash token parsing 
to work.
             output=$({python_executable} -m 
airflow.providers.amazon.aws.utils.eks_get_token \
-                --cluster-name {eks_cluster_name} --sts-url '{sts_url}' {args} 
2>&1)
+                --cluster-name {eks_cluster_name} --sts-url '{sts_url}' {args} 
2>/dev/null)
 
             status=$?
 
             # Clear environment variables after use (defense in depth)
             unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
 
             if [ "$status" -ne 0 ]; then
-                printf '%s' "$output" >&2
+                printf 'eks_get_token failed with exit code %s. Output was: 
%s' \
+                    "$status" "$output" >&2

Review Comment:
   If I am reading your description right, there is a concern that the token 
may be printed.  Could it be printed here as part of `$output`?  Should this be 
masked or scrubbed or something?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to