Re: [PR] fix: EksPodOperator 401 with cross-account AssumeRole via aws_conn_id [airflow]

Mon, 11 May 2026 23:10:50 -0700 


anmolxlight commented on code in PR #65335:
URL: https://github.com/apache/airflow/pull/65335#discussion_r3224083073


##########
providers/amazon/src/airflow/providers/amazon/aws/hooks/eks.py:
##########
@@ -82,20 +82,25 @@ class NodegroupStates(Enum):
             # Load credentials from secure file using (POSIX-compliant dot 
operator)
             . {credentials_file}
 
+            # Redirect stderr to /dev/null to prevent Python warnings, 
deprecation
+            # notices, or other log output from contaminating stdout. The token
+            # output must be the ONLY thing on stdout for bash token parsing 
to work.
             output=$({python_executable} -m 
airflow.providers.amazon.aws.utils.eks_get_token \
-                --cluster-name {eks_cluster_name} --sts-url '{sts_url}' {args} 
2>&1)
+                --cluster-name {eks_cluster_name} --sts-url '{sts_url}' {args} 
2>/dev/null)

Review Comment:
   Fixed. stderr now goes to a temporary file instead of /dev/null, so stdout 
stays clean for token parsing on success while the captured stderr is emitted 
if eks_get_token exits nonzero.



##########
providers/amazon/src/airflow/providers/amazon/aws/hooks/eks.py:
##########
@@ -82,20 +82,25 @@ class NodegroupStates(Enum):
             # Load credentials from secure file using (POSIX-compliant dot 
operator)
             . {credentials_file}
 
+            # Redirect stderr to /dev/null to prevent Python warnings, 
deprecation
+            # notices, or other log output from contaminating stdout. The token
+            # output must be the ONLY thing on stdout for bash token parsing 
to work.
             output=$({python_executable} -m 
airflow.providers.amazon.aws.utils.eks_get_token \
-                --cluster-name {eks_cluster_name} --sts-url '{sts_url}' {args} 
2>&1)
+                --cluster-name {eks_cluster_name} --sts-url '{sts_url}' {args} 
2>/dev/null)
 
             status=$?
 
             # Clear environment variables after use (defense in depth)
             unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
 
             if [ "$status" -ne 0 ]; then
-                printf '%s' "$output" >&2
+                printf 'eks_get_token failed with exit code %s. Output was: 
%s' \
+                    "$status" "$output" >&2

Review Comment:
   Adjusted this to avoid printing stdout on failure. Since stdout can contain 
the token, the error path now reports only the exit code plus captured stderr 
from the temp file.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to