Creating an IAM OIDC provider for your cluster - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating an IAM OIDC provider for your cluster

Your cluster has an OpenID Connect (OIDC) issuer URL associated with it. To use Amazon Identity and Access Management (IAM) roles for service accounts, an IAM OIDC provider must exist for your cluster's OIDC issuer URL.

Prerequisites
  • An existing Amazon EKS cluster. To deploy one, see Getting started with Amazon EKS.

  • Version 2.11.3 or later or 1.27.93 or later of the Amazon CLI installed and configured on your device or Amazon CloudShell. You can check your current version with aws --version | cut -d / -f2 | cut -d ' ' -f1. Package managers such yum, apt-get, or Homebrew for macOS are often several versions behind the latest version of the Amazon CLI. To install the latest version, see Installing, updating, and uninstalling the Amazon CLI and Quick configuration with aws configure in the Amazon Command Line Interface User Guide. The Amazon CLI version installed in the Amazon CloudShell may also be several versions behind the latest version. To update it, see Installing Amazon CLI to your home directory in the Amazon CloudShell User Guide.

  • The kubectl command line tool is installed on your device or Amazon CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is 1.24, you can use kubectl version 1.23, 1.24, or 1.25 with it. To install or upgrade kubectl, see Installing or updating kubectl.

  • An existing kubectl config file that contains your cluster configuration. To create a kubectl config file, see Creating or updating a kubeconfig file for an Amazon EKS cluster.

You can create an IAM OIDC provider for your cluster using eksctl or the Amazon Web Services Management Console.

eksctl
Prerequisite

Version 0.135.0 or later of the eksctl command line tool installed on your device or Amazon CloudShell. To install or update eksctl, see Installing or updating eksctl.

To create an IAM OIDC identity provider for your cluster with eksctl
  1. Determine whether you have an existing IAM OIDC provider for your cluster.

    Retrieve your cluster's OIDC provider ID and store it in a variable.

    oidc_id=$(aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
  2. Determine whether an IAM OIDC provider with your cluster's ID is already in your account.

    aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4

    If output is returned, then you already have an IAM OIDC provider for your cluster and you can skip the next step. If no output is returned, then you must create an IAM OIDC provider for your cluster.

  3. Create an IAM OIDC identity provider for your cluster with the following command. Replace my-cluster with your own value.

    eksctl utils associate-iam-oidc-provider --cluster my-cluster --approve
Amazon Web Services Management Console
To create an IAM OIDC identity provider for your cluster with the Amazon Web Services Management Console
  1. Open the Amazon EKS console at https://console.amazonaws.cn/eks/home#/clusters.

  2. In the left pane, select Clusters, and then select the name of your cluster on the Clusters page.

  3. In the Details section on the Overview tab, note the value of the OpenID Connect provider URL.

  4. Open the IAM console at https://console.amazonaws.cn/iam/.

  5. In the left navigation pane, choose Identity Providers under Access management. If a Provider is listed that matches the URL for your cluster, then you already have a provider for your cluster. If a provider isn't listed that matches the URL for your cluster, then you must create one.

  6. To create a provider, choose Add provider.

  7. For Provider type, select OpenID Connect.

  8. For Provider URL, enter the OIDC provider URL for your cluster, and then choose Get thumbprint.

  9. For Audience, enter sts.amazonaws.com and choose Add provider.

Next step

Configuring a Kubernetes service account to assume an IAM role