Creating Identity provider for AWS EKS

A quick post on creating EKS OIDC provider.

We will be creating OpenID Connect Identity Provider for the AWS EKS cluster in the IAM service. It will enable to establish trust between AWS account and Kubernetes running on EKS. For using IAM roles with service accounts created under the EKS cluster, it must have the OIDC provider associated with the cluster. Hence, it’s important to have this created at the beginning of the project along with the cluster.

Let’s get into steps to create an OIDC provider for your cluster.

First, you need to get the OpenID Connect provider URL from EKS Cluster.

• Navigate to EKS console
• Click on Cluster name
• Select Configuration tab and check under Details

Now head back to the IAM console

• Click on Identity providers under Access management on left hand side menu
• Click on Add provider button

• Select OpenId Connet
• Paste EKS OpenId provider URL in the give field
• Click on Get thumbprint button
• Add sts.amazonaws.com in Audience field
• Click on Add provider button.

Identity provider is created! View its details by clicking on the provider name.

If you are using CloudFormation as an IaC tool then below resource block can be used to create OIDC for the EKS cluster :

OidcProvider:
    Type: AWS::IAM::OIDCProvider
    Properties: 
      Url: !GetAtt EksCluster.OpenIdConnectIssuerUrl
      ThumbprintList: 
        - 9e99a48a9960b14926bb7f3b02e22da2b0ab7280
      ClientIdList:
        - sts.amazonaws.com

Where –

• EksCluster is the logical ID of the EKS cluster resource in the same CloudFormation template.
• 9e99a48a9960b14926bb7f3b02e22da2b0ab7280 is EKS thumbprint for region us-east-1. Refer this document to get thumbprints.