Open in app

Sign in

Write

Sign in

Seamlessly Secure Your EKS Cluster: AWS EKS OIDC Identity Integration

Yash Thube
5 min readOct 22, 2023

--

In the ever-evolving world of cloud computing, Amazon Elastic Kubernetes Service (EKS) has become the go-to solution for managing containerized applications efficiently. However, a robust security model is crucial when it comes to orchestrating these containers, especially in a multi-tenant environment. This is where AWS EKS OIDC (OpenID Connect) Identity Integration comes into play. In this blog post, we will explore the significance of AWS EKS OIDC Identity Integration, how it works, and the steps to set it up for a more secure and streamlined EKS cluster.

The Role of Identity in Kubernetes

Kubernetes relies on identity and access management for security. When a pod needs to access AWS resources or other services, it assumes an IAM (Identity and Access Management) role to interact securely. This is where OIDC Identity Integration becomes pivotal.

The Power of AWS EKS OIDC Identity Integration

  1. Seamless Integration : AWS EKS OIDC allows you to seamlessly integrate your EKS cluster with IAM. It enables your pods to assume IAM roles directly, simplifying and securing interactions with AWS services.
  2. Enhanced Security : With AWS EKS OIDC Identity Integration, you can tighten the security of your cluster by controlling who or what can assume IAM roles, providing a fine-grained security layer.
  3. Simplified Role-Based Access Control (RBAC): Managing role-based access control becomes more straightforward. You can define RBAC policies for your cluster to control which users or pods can perform specific actions.

What is an identity provider in AWS?

An identity provider (IdP) is a trusted entity that provides authentication services to users. In AWS, an IdP can be used to manage user identities outside of AWS and to federate access to AWS resources.

There are two main types of IdPs that can be used with AWS:

  • SAML 2.0 IdPs : SAML 2.0 is a standard XML-based protocol for exchanging authentication and authorization data between different systems. AWS supports a wide range of SAML 2.0 IdPs, including Google Apps, Okta, and Microsoft Active Directory Federation Services (AD FS).
  • OpenID Connect (OIDC) IdPs : OIDC is an open standard based on OAuth 2.0 that allows applications to verify the identity of users and obtain access tokens. AWS supports a variety of OIDC IdPs, including Amazon Cognito, Facebook Login, and Google Login.

What is OpenID Connect (OIDC)?

OpenID Connect (OIDC) is an open standard for authentication and authorization that is built on top of OAuth 2.0. OIDC IdPs are identity providers that support the OIDC standard.

OIDC IdPs provide a number of benefits, including:

  • Security: OIDC IdPs use strong authentication and authorization protocols to protect user identities and data.
  • Convenience: OIDC IdPs allow users to sign in to applications using their existing credentials. This can make it easier for users to access applications and reduce the need to manage multiple passwords.
  • Scalability: OIDC IdPs can be used to manage user identities at scale. This can be helpful for organizations with a large number of users.

Using an OIDC IdP with EKS has several benefits:

  • Improved security: OIDC IdPs can provide strong authentication and authorization capabilities.
  • Increased convenience : OIDC IdPs allow users to sign in to EKS using their existing credentials from their IdP. This can make it easier for users to access EKS and reduce the need to manage multiple passwords.
  • Enhanced scalability : OIDC IdPs can be used to manage user identities at scale.
  • To use an IdP with AWS, you must first create an IAM identity provider.
  • When you configure an OIDC identity provider in AWS IAM, you are essentially establishing a trust relationship between your AWS account and the OIDC identity provider.
  • This enables you to use the identity provider for federated identity and access management in AWS.
  • Once you have created an IAM identity provider, you can create IAM roles that map to the different roles in your IdP. You can then assign these IAM roles to users in your IdP.

To create an IAM OIDC identity provider for the EKS cluster using Terraform:

Creating an IAM OIDC identity provider for an Amazon EKS (Elastic Kubernetes Service) cluster using Terraform involves several steps. Before you begin, ensure that you have Terraform installed and configured with AWS credentials. Here are the steps to create an IAM OIDC identity provider for your EKS cluster:

  1. Initialize Terraform : Start by initializing your Terraform environment in a new or existing project directory using the terraform init command.
  2. Define IAM OIDC Identity Provider : In your Terraform configuration file (e.g., main.tf), define the IAM OIDC identity provider using the aws_eks_cluster resource. Here's an example configuration block:
resource "aws_eks_cluster" "example_cluster" {
  name     = "example-cluster"
  role_arn = aws_iam_role.example_role.arn

  vpc_config {
    subnet_ids = aws_subnet.example_subnets[*].id
  }

  oidc {
    enabled = true
  }
}

Ensure that you have previously defined the VPC, subnets, and IAM role in your Terraform configuration.

3. Define IAM Role for Service Account : Define an IAM role that Kubernetes service accounts can assume. You can do this using the aws_iam_role resource. Make sure to attach a policy that grants the required permissions to the role.

resource "aws_iam_role" "example_role" {
  name = "example-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action = "sts:AssumeRoleWithWebIdentity",
        Effect = "Allow",
        Principal = {
          Federated = aws_eks_cluster.example_cluster.openid_connect_provider
        }
      }
    ]
  })
}

4. Define Kubernetes Service Account : Define a Kubernetes service account and associate it with the IAM role using annotations. For example:

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/example-role
name: example-sa

Apply this configuration to your EKS cluster.

5. Apply Terraform Configuration : Run terraform apply to create the IAM OIDC identity provider and the associated resources.

6. Verify OIDC Provider : After Terraform applies the configuration, you can verify that the OIDC identity provider has been created in your EKS cluster by checking the EKS console.

These steps should help you create an IAM OIDC identity provider for your EKS cluster using Terraform. This enables you to use OIDC for Kubernetes service accounts, allowing for fine-grained control of permissions within your cluster.

Conclusion

AWS EKS OIDC Identity Integration is a powerful tool for securing your EKS cluster and simplifying identity and access management. By integrating your cluster with IAM and leveraging RBAC policies, you can establish fine-grained control over who or what can assume IAM roles, significantly enhancing the security of your containerized applications.

In a cloud-native world, where security and scalability are paramount, AWS EKS OIDC Identity Integration provides the necessary foundation for building and running your applications with confidence. Implement it in your EKS clusters today to experience the benefits firsthand.

Aws Eks
AWS
Kubernetes
Aws Iam
Identity Provider

--

--

Yash Thube

Written by Yash Thube

24 Followers

Exploring Cloud Possibilities ☁️ Harnessing AI/ML Opportunities ✔️

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams