AWS::EKS::IdentityProviderConfig - AWS CloudFormation


Associates an identity provider configuration to a cluster.

If you want to authenticate identities using an identity provider, you can create an identity provider configuration and associate it to your cluster. After configuring authentication to your cluster you can create Kubernetes Role and ClusterRole objects, assign permissions to them, and then bind them to the identities using Kubernetes RoleBinding and ClusterRoleBinding objects. For more information see Using RBAC Authorization in the Kubernetes documentation.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::EKS::IdentityProviderConfig", "Properties" : { "ClusterName" : String, "IdentityProviderConfigName" : String, "Oidc" : OidcIdentityProviderConfig, "Tags" : [ Tag, ... ], "Type" : String } }


Type: AWS::EKS::IdentityProviderConfig Properties: ClusterName: String IdentityProviderConfigName: String Oidc: OidcIdentityProviderConfig Tags: - Tag Type: String



The name of your cluster.

Required: Yes

Type: String

Update requires: Replacement


The name of the configuration.

Required: No

Type: String

Update requires: Replacement


An object representing an OpenID Connect (OIDC) identity provider configuration.

Required: No

Type: OidcIdentityProviderConfig

Update requires: Replacement


Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or AWS resources.

Required: No

Type: Array of Tag

Update requires: No interruption


The type of the identity provider configuration. The only type available is oidc.

Required: Yes

Type: String

Allowed values: oidc

Update requires: Replacement

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name. For example:

{ "Ref": "myIdentityProviderConfig" }

For the IdentityProviderConfig, Ref returns the physical resource ID of the config. For example, cluster-name/oidc/identity-provider-config-name.

For more information about using the Ref function, see Ref.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


The Amazon Resource Name (ARN) associated with the identity provider config.


Creating an identity provider config and Fargate profile resources in the same template.

If AWS CloudFormation attempts to create both resources at the same time, resource creation fails. If you want to create both resources in the same template, then add the DependsOn property in your template, as shown in the examples.


Create an identity provider config

The following example creates a an identity provider config. If you're not creating an EKSFargateProfile in the same template, remove the "DependsOn" line in the following example. For more information, see AWS::EKS::FargateProfile.


{ "EKSIdpConfig": { "DependsOn": "EKSFargateProfile", "Type": "AWS::EKS::IdentityProviderConfig", "Properties": { "ClusterName": "my-cluster", "Type": "oidc", "Oidc": { "ClientId": "kubernetes", "IssuerUrl": "" } } } }


Resources: EKSIdpConfig: DependsOn: EKSFargateProfile Type: AWS::EKS::IdentityProviderConfig Properties: ClusterName: my-cluster Type: oidc Oidc: ClientId: "kubernetes" IssuerUrl: ""

See also