Amazon EKS (Elastic Kubernetes Service) integrates seamlessly with AWS IAM to provide fine-grained access control for your Kubernetes workloads. One of the key components to enable this integration is the IAM OIDC identity provider. In this blog post, we will walk you through the steps to verify whether an OIDC identity provider for your EKS cluster is already created and how to create one if it doesn’t exist.

Why Check for an Existing OIDC Identity Provider?

When you create an Amazon EKS cluster, an OIDC identity provider can be associated with it to enable IAM roles for service accounts. This setup is essential for securely granting your Kubernetes workloads access to AWS services. Before creating a new OIDC identity provider, it's a good practice to check if one already exists to avoid duplication and potential configuration issues.

Prerequisites

• AWS CLI installed and configured with the necessary permissions.
• Access to the Amazon EKS cluster name and region.

Steps to Check for an Existing OIDC Identity Provider

Step 1: Retrieve the OIDC Provider URL for Your EKS Cluster

First, you need to get the OIDC provider URL associated with your EKS cluster. Run the following command in your terminal:

aws eks describe-cluster --name your-cluster-name --query "cluster.identity.oidc.issuer" --output text

Replace your-cluster-name with the name of your EKS cluster. This command will return a URL similar to:

https://oidc.eks.region.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE

Step 2: List Existing OIDC Identity Providers

Next, list all the OIDC identity providers in your AWS account using the following command:

aws iam list-open-id-connect-providers

This will return a list of OIDC identity providers in your account:

{
    "OpenIDConnectProviderList": [
        {
            "Arn": "arn:aws:iam::account-id:oidc-provider/oidc.eks.region.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
        },
        ...
    ]
}

Step 3: Check If the OIDC Provider for Your EKS Cluster Exists

Compare the OIDC provider URL obtained in Step 1 with the ARNs listed in Step 2. You can automate this check using a simple shell script:

#!/bin/bash

# Variables
CLUSTER_NAME="your-cluster-name"
REGION="your-region"

# Get the OIDC provider URL for the EKS cluster
OIDC_URL=$(aws eks describe-cluster --name $CLUSTER_NAME --region $REGION --query "cluster.identity.oidc.issuer" --output text)

# Get the list of OIDC providers
OIDC_PROVIDERS=$(aws iam list-open-id-connect-providers --query "OpenIDConnectProviderList[*].Arn" --output text)

# Check if the OIDC provider URL exists in the list
if echo "$OIDC_PROVIDERS" | grep -q "${OIDC_URL#https://}"; then
    echo "OIDC identity provider for EKS cluster '$CLUSTER_NAME' already exists."
else
    echo "OIDC identity provider for EKS cluster '$CLUSTER_NAME' does not exist."
fi

Replace your-cluster-name and your-region with your actual cluster name and region. Run this script in your terminal. It will output whether the OIDC identity provider for your EKS cluster exists or not.

Steps to Create an OIDC Identity Provider for Your EKS Cluster

If the OIDC identity provider does not exist, you can create one by following these steps:

Step 1: Retrieve the OIDC Provider URL

If you haven’t done this already, use the command from the previous section to get the OIDC provider URL for your EKS cluster.

Step 2: Create an IAM OIDC Identity Provider

Use the following command to create an IAM OIDC identity provider for your EKS cluster:

aws iam create-open-id-connect-provider \
    --url https://oidc.eks.region.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE \
    --client-id-list sts.amazonaws.com \
    --thumbprint-list THUMBPRINT

Replace the --url value with the OIDC provider URL you retrieved earlier, and provide the thumbprint for the OIDC provider. You can get the thumbprint by visiting the URL in a browser and exporting the SSL certificate chain, then using a tool to get the thumbprint of the root certificate.

Step 3: Create an IAM Role for the Service Account

Once the OIDC identity provider is created, you need to create an IAM role that can be assumed by your service account. Here’s an example trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::account-id:oidc-provider/oidc.eks.region.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.region.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:namespace:serviceaccount-name"
                }
            }
        }
    ]
}

Replace the arn:aws:iam::account-id:oidc-provider/oidc.eks.region.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE with the correct OIDC provider ARN, and modify the Condition to match your service account’s namespace and name.

Step 4: Attach Policies to the IAM Role

Attach the necessary policies to the IAM role to allow your service account to access the required AWS services. For example, to allow read-only access to Amazon S3, use the following command:

aws iam attach-role-policy --role-name your-role-name --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Conclusion

Ensuring that your Amazon EKS cluster is configured with the necessary IAM integrations is crucial for managing access to AWS services. By following the steps outlined in this blog post, you can check if an OIDC identity provider already exists for your cluster and create one if necessary. This setup allows you to leverage IAM roles for service accounts, enhancing the security and manageability of your Kubernetes workloads.

We hope this guide helps you manage your Amazon EKS clusters more efficiently. If you have any questions or need further assistance, feel free to reach out to us.