Creating an IAM OIDC provider for your cluster

Determine whether you have an existing IAM OIDC provider for your cluster.

Retrieve your cluster's OIDC provider ID and store it in a variable.

oidc_id=$(aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)

Determine whether an IAM OIDC provider with your cluster's ID is already in your account.

aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4

If output is returned, then you already have an IAM OIDC provider for your cluster and you can skip the next step. If no output is returned, then you must create an IAM OIDC provider for your cluster.

Create an IAM OIDC identity provider for your cluster with the following command. Replace my-cluster with your own value.

eksctl utils associate-iam-oidc-provider --cluster my-cluster --approve

Open the Amazon EKS console at https://console.amazonaws.cn/eks/home#/clusters.

In the left pane, select Clusters, and then select the name of your cluster on the Clusters page.

In the Details section on the Overview tab, note the value of the OpenID Connect provider URL.

Open the IAM console at https://console.amazonaws.cn/iam/.

In the left navigation pane, choose Identity Providers under Access management. If a Provider is listed that matches the URL for your cluster, then you already have a provider for your cluster. If a provider isn't listed that matches the URL for your cluster, then you must create one.

To create a provider, choose Add provider.

For Provider type, select OpenID Connect.

For Provider URL, enter the OIDC provider URL for your cluster, and then choose Get thumbprint.

For Audience, enter sts.amazonaws.com and choose Add provider.