Syntax Properties Return values Remarks Examples See also

AWS::EKS::IdentityProviderConfig

Associate an identity provider configuration to a cluster.

If you want to authenticate identities using an identity provider, you can create an identity provider configuration and associate it to your cluster. After configuring authentication to your cluster you can create Kubernetes roles and clusterroles to assign permissions to the roles, and then bind the roles to the identities using Kubernetes rolebindings and clusterrolebindings. For more information see Using RBAC Authorization in the Kubernetes documentation.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::EKS::IdentityProviderConfig",
  "Properties" : {
      "ClusterName" : String,
      "IdentityProviderConfigName" : String,
      "Oidc" : OidcIdentityProviderConfig,
      "Tags" : [ Tag, ... ],
      "Type" : String
    }
}

YAML


Type: AWS::EKS::IdentityProviderConfig
Properties: 
  ClusterName: String
  IdentityProviderConfigName: String
  Oidc: 
    OidcIdentityProviderConfig
  Tags: 
    - Tag
  Type: String

Properties

ClusterName

The cluster that the configuration is associated to.

Required: Yes

Type: String

Update requires: Replacement

IdentityProviderConfigName

The name of the configuration.

Required: No

Type: String

Update requires: Replacement

Oidc

An object representing an OpenID Connect (OIDC) identity provider configuration.

Required: No

Type: OidcIdentityProviderConfig

Update requires: Replacement

Tags

The metadata to apply to the provider configuration to assist with categorization and organization. Each tag consists of a key and an optional value. You define both.

Required: No

Type: List of Tag

Update requires: No interruption

Type

The type of the identity provider configuration. The only type available is oidc.

Required: Yes

Type: String

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns the resource name. For example:

{ "Ref": "myIdentityProviderConfig" }

For the IdentityProviderConfig, Ref returns the physical resource ID of the config. For example, cluster-name/oidc/identity-provider-config-name.

For more information about using the Reffunction, see Ref.

Fn::GetAtt

The Fn::GetAttintrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAttintrinsic function, see Fn::GetAtt.

IdentityProviderConfigArn: The Amazon Resource Name (ARN) associated with the identity provider config.

Remarks

Creating an identity provider config and Fargate profile resources in the same template.

If Amazon CloudFormation attempts to create both resources at the same time, resource creation fails. If you want to create both resources in the same template, then add the DependsOn property in your template, as shown in the examples.

Examples

Create an identity provider config

The following example creates a an identity provider config. If you're not creating an EKSFargateProfile in the same template, remove the "DependsOn" line in the following example. For more information, see AWS::EKS::FargateProfile.

JSON


{
  "EKSIdpConfig": {
    "DependsOn": "EKSFargateProfile",
    "Type": "AWS::EKS::IdentityProviderConfig",
    "Properties": {
      "ClusterName": "my-cluster",
      "Type": "oidc",
      "Oidc": {
        "ClientId": "kubernetes",
        "IssuerUrl": "https://example.com"
      }
    }
  }
}

YAML


Resources:
  EKSIdpConfig:
    DependsOn: EKSFargateProfile
    Type: AWS::EKS::IdentityProviderConfig
    Properties:
      ClusterName: my-cluster
      Type: oidc
      Oidc:
        ClientId: "kubernetes"
        IssuerUrl: "https://example.com"