Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Creating an IAM OIDC
provider for your cluster
Your cluster has an OpenID Connect
(OIDC) issuer URL associated with it. To use Amazon Identity and Access Management (IAM) roles for service accounts,
an IAM OIDC provider must exist for your cluster's OIDC issuer URL.
Prerequisites
An existing Amazon EKS cluster. To deploy one, see Getting started with Amazon EKS.
Version 2.11.3
or later or 1.27.93
or later of the Amazon CLI installed and configured on your device or Amazon CloudShell. You can check your current version with aws --version | cut -d / -f2 | cut -d ' ' -f1
.
Package managers such yum
, apt-get
, or
Homebrew for macOS are often several versions behind the latest version of the Amazon CLI. To install the latest version, see
Installing, updating, and uninstalling the Amazon CLI and Quick configuration with aws configure
in the Amazon Command Line Interface User Guide. The Amazon CLI version installed in the Amazon CloudShell may also be several versions behind the latest version. To update it, see
Installing Amazon CLI to your home directory in the Amazon CloudShell User Guide.
The kubectl
command line tool is installed on your device or
Amazon CloudShell. The version can be the same as or up to one minor version earlier or later than
the Kubernetes version of your cluster. For example, if your cluster version is 1.24
, you can use kubectl
version 1.23
, 1.24
, or 1.25
with it. To
install or upgrade kubectl
, see Installing or updating kubectl.
An existing kubectl
config
file that contains your cluster configuration. To create a kubectl
config
file, see Creating or updating a kubeconfig file for an Amazon EKS cluster.
You can create an IAM OIDC provider for your cluster using eksctl
or the
Amazon Web Services Management Console.
- eksctl
-
Prerequisite
Version 0.135.0
or later of the eksctl
command line tool installed on your device or Amazon CloudShell. To install or update eksctl
, see Installing or updating eksctl.
To create an IAM OIDC identity provider for your cluster with
eksctl
-
Determine whether you have an existing IAM OIDC provider for
your cluster.
Retrieve your cluster's OIDC provider ID and store it in a
variable.
oidc_id=$(aws eks describe-cluster --name my-cluster
--query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
Determine whether an IAM OIDC provider with your cluster's ID is already in your
account.
aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4
If output is returned, then you already have an IAM OIDC
provider for your cluster and you can skip the next step. If no output
is returned, then you must create an IAM OIDC provider for your
cluster.
-
Create an IAM OIDC identity provider for your cluster with the
following command. Replace
my-cluster
with your own
value.
eksctl utils associate-iam-oidc-provider --cluster my-cluster
--approve
- Amazon Web Services Management Console
-
To create an IAM OIDC identity
provider for your cluster with the Amazon Web Services Management Console
-
Open the Amazon EKS console at https://console.amazonaws.cn/eks/home#/clusters.
In the left pane, select Clusters, and then select the name of your
cluster on the Clusters page.
-
In the Details section on the Overview tab, note the value of the OpenID Connect provider URL.
-
Open the IAM console at
https://console.amazonaws.cn/iam/.
-
In the left navigation pane, choose Identity Providers under Access management. If a Provider is listed that matches the URL for your cluster, then you already have a provider for your cluster. If a provider isn't listed that matches the URL for your cluster, then you must create one.
-
To create a provider, choose Add
provider.
-
For Provider type, select
OpenID Connect.
-
For Provider URL, enter the OIDC provider
URL for your cluster, and then choose Get
thumbprint.
-
For Audience, enter
sts.amazonaws.com
and choose Add
provider.
Next step
Configuring a Kubernetes service account to
assume an IAM role