Authenticating users for your cluster from an OpenID Connect identity provider
Amazon EKS supports using OpenID Connect (OIDC) identity providers as a method
to authenticate users to your cluster. OIDC identity providers can be used with, or as an
alternative to Amazon Identity and Access Management (IAM). For more information about using IAM, see Enabling IAM principal access to your
cluster. After configuring
authentication to your cluster, you can create Kubernetes roles
and
clusterroles
to assign permissions to the roles, and then bind the roles to
the identities using Kubernetes rolebindings
and clusterrolebindings
.
For more information, see Using RBAC
Authorization
Considerations
-
You can associate one OIDC identity provider to your cluster.
-
Kubernetes doesn't provide an OIDC identity provider. You can use an existing public OIDC identity provider, or you can run your own identity provider. For a list of certified providers, see OpenID Certification
on the OpenID site. -
The issuer URL of the OIDC identity provider must be publicly accessible, so that Amazon EKS can discover the signing keys. Amazon EKS does not support OIDC identity providers with self-signed certificates.
-
You can't disable the Amazon IAM authenticator on your cluster, because it is still required for joining nodes to a cluster. For more information, see Amazon IAM Authenticator for Kubernetes
on GitHub. -
An Amazon EKS cluster must still be created by an Amazon IAM principal, rather than an OIDC identity provider user. This is because the cluster creator interacts with the Amazon EKS APIs, rather than the Kubernetes APIs.
-
OIDC identity provider-authenticated users are listed in the cluster's audit log if CloudWatch logs are turned on for the control plane. For more information, see Enabling and disabling control plane logs.
-
You can't sign in to the Amazon Web Services Management Console with an account from an OIDC provider. You can only view Kubernetes resources in the console by signing into the Amazon Web Services Management Console with an Amazon Identity and Access Management account.
Associate an OIDC identity provider
Before you can associate an OIDC identity provider with your cluster, you need the following information from your provider:
- Issuer URL
-
The URL of the OIDC identity provider that allows the API server to discover public signing keys for verifying tokens. The URL must begin with
https://
and should correspond to theiss
claim in the provider's OIDC ID tokens. In accordance with the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a host name, likehttps://server.example.org
orhttps://example.com
. This URL should point to the level below.well-known/openid-configuration
and must be publicly accessible over the internet. - Client ID (also known as audience)
-
The ID for the client application that makes authentication requests to the OIDC identity provider.
You can associate an identity provider using eksctl
or the Amazon Web Services Management Console.
Disassociate an OIDC identity provider from your cluster
If you disassociate an OIDC identity provider from your cluster, users included in the provider can no longer access the cluster. However, you can still access the cluster with IAM principals.
To disassociate an OIDC identity provider from your cluster using the Amazon Web Services Management Console
-
Open the Amazon EKS console at https://console.amazonaws.cn/eks/home#/clusters
. -
In the OIDC Identity Providers section, select Disassociate, enter the identity provider name, and then select
Disassociate
.
Example IAM policy
If you want to prevent an OIDC identity provider from being associated with a cluster, create and associate the following IAM policy to the IAM accounts of your Amazon EKS administrators. For more information, see Creating IAM policies and Adding IAM identity permissions in the IAM User Guide and Actions, resources, and condition keys for Amazon Elastic Kubernetes Service in the Service Authorization Reference.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "denyOIDC", "Effect": "Deny", "Action": [ "eks:AssociateIdentityProviderConfig" ], "Resource": "arn:aws-cn:eks:
cn-north-1
.amazonaws.com.cn:111122223333
:cluster/*" }, { "Sid": "eksAdmin", "Effect": "Allow", "Action": [ "eks:*" ], "Resource": "*" } ] }
The following example policy allows OIDC identity provider association if the
clientID
is kubernetes
and the issuerUrl
is
https://cognito-idp.cn-north-1amazonaws.com.cn/*
.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCognitoOnly", "Effect": "Deny", "Action": "eks:AssociateIdentityProviderConfig", "Resource": "arn:aws-cn:eks:
cn-north-1
:111122223333
:cluster/my-instance
", "Condition": { "StringNotLikeIfExists": { "eks:issuerUrl": "https://cognito-idp.cn-north-1
.amazonaws.com.cn/*" } } }, { "Sid": "DenyOtherClients", "Effect": "Deny", "Action": "eks:AssociateIdentityProviderConfig", "Resource": "arn:aws-cn:eks:cn-north-1
:111122223333
:cluster/my-instance
", "Condition": { "StringNotEquals": { "eks:clientId": "kubernetes
" } } }, { "Sid": "AllowOthers", "Effect": "Allow", "Action": "eks:*", "Resource": "*" } ] }
Partner validated OIDC identity providers
Amazon EKS maintains relationships with a network of partners that offer support for compatible OIDC identity providers. Refer to the following partners' documentation for details on how to integrate the identity provider with Amazon EKS.
Partner |
Product |
Documentation |
---|---|---|
PingIdentity |
Amazon EKS aims to give you a wide selection of options to cover all use cases. If you
develop a commercially supported OIDC compatible identity provider that is not listed
here, then contact our partner team at aws-container-partners@amazon.com