A quick post on creating EKS OIDC provider.
We will be creating OpenID Connect Identity Provider for the AWS EKS cluster in the IAM service. It will enable to establish trust between AWS account and Kubernetes running on EKS. For using IAM roles with service accounts created under the EKS cluster, it must have the OIDC provider associated with the cluster. Hence, it’s important to have this created at the beginning of the project along with the cluster.
Let’s get into steps to create an OIDC provider for your cluster.
First, you need to get the OpenID Connect provider URL from EKS Cluster.
- Navigate to EKS console
- Click on Cluster name
- Select Configuration tab and check under Details
Now head back to the IAM console
- Click on Identity providers under Access management on left hand side menu
- Click on Add provider button
- Select OpenId Connet
- Paste EKS OpenId provider URL in the give field
- Click on Get thumbprint button
sts.amazonaws.comin Audience field
- Click on Add provider button.
Identity provider is created! View its details by clicking on the provider name.
If you are using CloudFormation as an IaC tool then below resource block can be used to create OIDC for the EKS cluster :
OidcProvider: Type: AWS::IAM::OIDCProvider Properties: Url: !GetAtt EksCluster.OpenIdConnectIssuerUrl ThumbprintList: - 9e99a48a9960b14926bb7f3b02e22da2b0ab7280 ClientIdList: - sts.amazonaws.com
EksClusteris the logical ID of the EKS cluster resource in the same CloudFormation template.
9e99a48a9960b14926bb7f3b02e22da2b0ab7280is EKS thumbprint for region us-east-1. Refer this document to get thumbprints.