Creating an IAM OIDC provider for your cluster - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating an IAM OIDC provider for your cluster

Your cluster has an OpenID Connect (OIDC) issuer URL associated with it. To use Amazon Identity and Access Management (IAM) roles for service accounts, an IAM OIDC provider must exist for your cluster's OIDC issuer URL.

Prerequisites
  • An existing Amazon EKS cluster. To deploy one, see Getting started with Amazon EKS.

  • Version 2.12.3 or later or version 1.27.160 or later of the Amazon Command Line Interface (Amazon CLI) installed and configured on your device or Amazon CloudShell. To check your current version, use aws --version | cut -d / -f2 | cut -d ' ' -f1. Package managers such yum, apt-get, or Homebrew for macOS are often several versions behind the latest version of the Amazon CLI. To install the latest version, see Installing, updating, and uninstalling the Amazon CLI and Quick configuration with aws configure in the Amazon Command Line Interface User Guide. The Amazon CLI version that is installed in Amazon CloudShell might also be several versions behind the latest version. To update it, see Installing Amazon CLI to your home directory in the Amazon CloudShell User Guide.

  • The kubectl command line tool is installed on your device or Amazon CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is 1.28, you can use kubectl version 1.27, 1.28, or 1.29 with it. To install or upgrade kubectl, see Installing or updating kubectl.

  • An existing kubectl config file that contains your cluster configuration. To create a kubectl config file, see Creating or updating a kubeconfig file for an Amazon EKS cluster.

You can create an IAM OIDC provider for your cluster using eksctl or the Amazon Web Services Management Console.

eksctl
Prerequisite

Version 0.171.0 or later of the eksctl command line tool installed on your device or Amazon CloudShell. To install or update eksctl, see Installation in the eksctl documentation.

To create an IAM OIDC identity provider for your cluster with eksctl
  1. Determine the OIDC issuer ID for your cluster.

    Retrieve your cluster's OIDC issuer ID and store it in a variable. Replace my-cluster with your own value.

    cluster_name=my-cluster
    oidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
    echo $oidc_id
  2. Determine whether an IAM OIDC provider with your cluster's issuer ID is already in your account.

    aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4

    If output is returned, then you already have an IAM OIDC provider for your cluster and you can skip the next step. If no output is returned, then you must create an IAM OIDC provider for your cluster.

  3. Create an IAM OIDC identity provider for your cluster with the following command.

    eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve
    Note

    If you enable the EKS VPC endpoint, the EKS OIDC service endpoint can't be accessed from inside that VPC. Consequently, your operations such as creating an OIDC provider with eksctl in the VPC will not work and will result in a timeout when attempting to request https://oidc.eks.region.amazonaws.com. An example error message follows:

    ** server can't find oidc.eks.region.amazonaws.com: NXDOMAIN

    To complete this step, you can run the command outside the VPC, for example in Amazon CloudShell or on a computer connected to the internet.

Amazon Web Services Management Console
To create an IAM OIDC identity provider for your cluster with the Amazon Web Services Management Console
  1. Open the Amazon EKS console at https://console.amazonaws.cn/eks/home#/clusters.

  2. In the left pane, select Clusters, and then select the name of your cluster on the Clusters page.

  3. In the Details section on the Overview tab, note the value of the OpenID Connect provider URL.

  4. Open the IAM console at https://console.amazonaws.cn/iam/.

  5. In the left navigation pane, choose Identity Providers under Access management. If a Provider is listed that matches the URL for your cluster, then you already have a provider for your cluster. If a provider isn't listed that matches the URL for your cluster, then you must create one.

  6. To create a provider, choose Add provider.

  7. For Provider type, select OpenID Connect.

  8. For Provider URL, enter the OIDC provider URL for your cluster, and then choose Get thumbprint.

  9. For Audience, enter sts.amazonaws.com and choose Add provider.

Next step

Configuring a Kubernetes service account to assume an IAM role