Creating an IAM OIDC provider for your cluster - Amazon EKS

Creating an IAM OIDC provider for your cluster

Your cluster has an OpenID Connect (OIDC) issuer URL associated with it. To use AWS Identity and Access Management (IAM) roles for service accounts, an IAM OIDC provider must exist for your cluster's OIDC issuer URL.

Prerequisites

  • An existing Amazon EKS cluster. To deploy one, see Getting started with Amazon EKS.

  • Version 2.11.3 or later or 1.27.93 or later of the AWS CLI installed and configured on your device or AWS CloudShell. You can check your current version with aws --version | cut -d / -f2 | cut -d ' ' -f1. Package managers such yum, apt-get, or Homebrew for macOS are often several versions behind the latest version of the AWS CLI. To install the latest version, see Installing, updating, and uninstalling the AWS CLI and Quick configuration with aws configure in the AWS Command Line Interface User Guide. The AWS CLI version installed in the AWS CloudShell may also be several versions behind the latest version. To update it, see Installing AWS CLI to your home directory in the AWS CloudShell User Guide.

  • The kubectl command line tool is installed on your device or AWS CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is 1.24, you can use kubectl version 1.23, 1.24, or 1.25 with it. To install or upgrade kubectl, see Installing or updating kubectl.

  • An existing kubectl config file that contains your cluster configuration. To create a kubectl config file, see Creating or updating a kubeconfig file for an Amazon EKS cluster.

You can create an IAM OIDC provider for your cluster using eksctl or the AWS Management Console.

eksctl
Prerequisite

Version 0.136.0 or later of the eksctl command line tool installed on your device or AWS CloudShell. To install or update eksctl, see Installing or updating eksctl.

To create an IAM OIDC identity provider for your cluster with eksctl

  1. Determine whether you have an existing IAM OIDC provider for your cluster.

    Retrieve your cluster's OIDC provider ID and store it in a variable.

    oidc_id=$(aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)

  2. Determine whether an IAM OIDC provider with your cluster's ID is already in your account.

    aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4

    If output is returned, then you already have an IAM OIDC provider for your cluster and you can skip the next step. If no output is returned, then you must create an IAM OIDC provider for your cluster.

  3. Create an IAM OIDC identity provider for your cluster with the following command. Replace my-cluster with your own value.

    eksctl utils associate-iam-oidc-provider --cluster my-cluster --approve
AWS Management Console
To create an IAM OIDC identity provider for your cluster with the AWS Management Console

  1. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.

  2. In the left pane, select Clusters, and then select the name of your cluster on the Clusters page.

  3. In the Details section on the Overview tab, note the value of the OpenID Connect provider URL.

  4. Open the IAM console at https://console.aws.amazon.com/iam/.

  5. In the left navigation pane, choose Identity Providers under Access management. If a Provider is listed that matches the URL for your cluster, then you already have a provider for your cluster. If a provider isn't listed that matches the URL for your cluster, then you must create one.

  6. To create a provider, choose Add provider.

  7. For Provider type, select OpenID Connect.

  8. For Provider URL, enter the OIDC provider URL for your cluster, and then choose Get thumbprint.

  9. For Audience, enter sts.amazonaws.com and choose Add provider.

Next step

Configuring a Kubernetes service account to assume an IAM role