Multi-primary auth in AWS EKS

When using istioctl x create-remote-secret it seems to get a token that only lasts ~15 minutes. I have tried manually updating the secret with an exec block to call aws eks get-token but it seems to be blocked as I see an error like:

2022-10-19T17:09:35.780714Z	error	Updating cluster_id=cluster1 from secret=istio-system/istio-remote-secret-cluster1: kubeconfig is not allowed: exec is not allowed

Not sure if anyone has run into this and found a workaround. Searching hasn’t come up with much.

Okay this was my own fault. I was creating this secret manually using the token from a Terraform EKS module which was short lived. After getting the token from the service account like the command does it’s working.