Posted On: Feb 12, 2021
Amazon Elastic Kubernetes Service (Amazon EKS) now supports using OpenID Connect (OIDC) compatible identity providers as a user authentication option to Kubernetes clusters. With OIDC authentication, you can manage user access to EKS clusters by using the standard procedures in your organization for creating, enabling, and disabling employee accounts.
Amazon EKS already includes native support for AWS Identity and Access Management (IAM) users and roles as entities that can authenticate against a cluster, removing the burden from cluster administrators of having to maintain a separate identity provider to manage users. This IAM to Kubernetes integration enables you to securely manage cluster access by leveraging IAM features such as CloudTrail audit logging and multi-factor authentication. However, at some organizations, development teams don’t have administrative access to AWS, and creating an IAM user or role for each developer is not a scalable solution.
With EKS support for OIDC identity providers, you can manage user access to your cluster by leveraging an existing identity management life cycle through your OIDC identity provider.
OpenID Connect is an interoperable authentication protocol based on the
OAuth 2.0 family of specifications. It adds a thin layer that sits on top of OAuth 2.0 that adds login and profile information about the identity logged in users. For EKS cluster user access management, OIDC compatible identity providers can be used as an alternative to, or together with IAM users and roles.
You can associate an OIDC compatible identity provider to new or existing clusters running Kubernetes version 1.16 and above, using the EKS console, CLI, or eksctl. To learn more, read our
blog, or visit the Amazon EKS
documentation.