Fetch signing keys - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Fetch signing keys

Kubernetes issues a ProjectedServiceAccountToken to each Kubernetes Service Account. This token is an OIDC token, which is further a type of JSON web token (JWT). Amazon EKS hosts a public OIDC endpoint for each cluster that contains the signing keys for the token so external systems can validate it.

To validate a ProjectedServiceAccountToken, you need to fetch the OIDC public signing keys, also called the JSON Web Key Set (JWKS). Use these keys in your application to validate the token. For example, you can use the PyJWT Python library to validate tokens using these keys. For more information on the ProjectedServiceAccountToken, see IAM, Kubernetes, and OpenID Connect (OIDC) background information.

Prerequisites
Fetch OIDC Public Signing Keys (Amazon CLI)

  1. Retrieve the OIDC URL for your Amazon EKS cluster using the Amazon CLI.

    $ aws eks describe-cluster --name my-cluster --query 'cluster.identity.oidc.issuer'
"https://oidc.eks.us-east-1.amazonaws.com/id/8EBDXXXX00BAE"

  2. Retrieve the public signing key using curl, or a similar tool. The result is a JSON Web Key Set (JWKS).

    Important

    Amazon EKS throttles calls to the OIDC endpoint. You should cache the public signing key. Respect the cache-control header included in the response.

    Important

    Amazon EKS rotates the OIDC signing key every seven days. 

    $ curl https://oidc.eks.us-east-1.amazonaws.com/id/8EBDXXXX00BAE/keys
{"keys":[{"kty":"RSA","kid":"2284XXXX4a40","use":"sig","alg":"RS256","n":"wklbXXXXMVfQ","e":"AQAB"}]}