Create an IAM OIDC provider for your cluster - Amazon EKS

Create an IAM OIDC provider for your cluster

Your cluster has an OpenID Connect issuer URL associated with it. To use IAM roles for service accounts, an IAM OIDC provider must exist for your cluster.

Prerequisites

An existing cluster. If you don't have one, you can create one using one of the Getting started with Amazon EKS guides.

You can create an OIDC provider for your cluster using eksctl or the AWS Management Console.

eksctl

To create an IAM OIDC identity provider for your cluster with eksctl

  1. Determine whether you have an existing IAM OIDC provider for your cluster.

    View your cluster's OIDC provider URL.

    aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer" --output text

    Example output:

    https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE

    List the IAM OIDC providers in your account. Replace EXAMPLED539D4633E53DE1B71EXAMPLE with the value returned from the previous command.

    aws iam list-open-id-connect-providers | grep EXAMPLED539D4633E53DE1B71EXAMPLE

    Example output:

    "Arn": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"

    If output is returned from the previous command, then you already have a provider for your cluster. If no output is returned, then you must create an IAM OIDC provider.

  2. Create an IAM OIDC identity provider for your cluster with the following command. Replace my-cluster with your own value.

    eksctl utils associate-iam-oidc-provider --cluster my-cluster --approve
AWS Management Console

To create an IAM OIDC identity provider for your cluster with the AWS Management Console

  1. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.

  2. Select the name of your cluster and then select the Configuration tab.

  3. In the Details section, note the value of the OpenID Connect provider URL.

  4. Open the IAM console at https://console.aws.amazon.com/iam/.

  5. In the left navigation pane, choose Identity Providers under Access management. If a Provider is listed that matches the URL for your cluster, then you already have a provider for your cluster. If a provider isn't listed that matches the URL for your cluster, then you must create one.

  6. To create a provider, choose Add Provider.

  7. For Provider Type, choose OpenID Connect.

  8. For Provider URL, paste the OIDC issuer URL for your cluster, and then choose Get thumbprint.

  9. For Audience, enter sts.amazonaws.com and choose Add provider.