Re: [PR] fix(amazon): EksPodOperator deferrable mode fails on remote triggerers [airflow]

Sun, 08 Mar 2026 00:49:18 -0800 


akhilesharora commented on code in PR #63020:
URL: https://github.com/apache/airflow/pull/63020#discussion_r2901558874


##########
providers/amazon/src/airflow/providers/amazon/aws/operators/eks.py:
##########
@@ -1171,6 +1173,100 @@ def trigger_reentry(self, context: Context, event: 
dict[str, Any]) -> Any:
             ) as self.config_file:
                 return super().trigger_reentry(context, event)
 
+    def invoke_defer_method(
+        self, last_log_time: DateTime | None = None, context: Context | None = 
None
+    ) -> None:
+        """
+        Override to generate a token-based kubeconfig for the triggerer.
+
+        The base KubernetesPodOperator.invoke_defer_method() calls 
convert_config_file_to_dict()
+        which reads the kubeconfig file into a dict. For EKS, this kubeconfig 
contains an exec
+        block that references a temp file with AWS credentials. This temp file 
only exists on
+        the worker and is deleted when the context managers exit.
+
+        When the trigger is serialized and sent to the triggerer (which runs 
on a different host),
+        the exec block tries to source a file that doesn't exist, causing 401 
Unauthorized errors.
+
+        This override generates a kubeconfig with an embedded bearer token 
instead of an exec
+        block, allowing the config to work on the triggerer without requiring 
local temp files.
+        """
+        eks_hook = EksHook(
+            aws_conn_id=self.aws_conn_id,
+            region_name=self.region,
+        )
+
+        # Generate a kubeconfig dict with an embedded token (no exec block)
+        self._config_dict = eks_hook.generate_config_dict_for_deferral(
+            eks_cluster_name=self.cluster_name,
+            pod_namespace=self.namespace,
+        )
+
+        # Now call the parent's invoke_defer_method, but skip 
convert_config_file_to_dict
+        # since we've already set self._config_dict
+        # We need to replicate the parent logic but use our config_dict
+        import datetime
+
+        from airflow.providers.cncf.kubernetes.triggers.pod import 
ContainerState, KubernetesPodTrigger
+        from airflow.providers.common.compat.sdk import 
AirflowNotFoundException, BaseHook

Review Comment:
    I placed them locally but they could be moved to module level to match the 
parent class pattern



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to