π AWS EKS Cluster IAM OIDC provider is not created π’
- Contextual name: π Cluster IAM OIDC provider is not created π’
- ID:
/ce/ca/aws/eks/cluster-oidc-provider - Located in: π AWS EKS
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Logicβ
- π§ prod.logic.yaml π’
- π AWS EKS Cluster
- π AWS EKS Cluster - object.extracts.yaml
- π§ͺ test-data.json
Descriptionβ
Descriptionβ
Ensure that AWS EKS clusters have an associated OpenID Connect (OIDC) provider configured. The OIDC provider is required to enable IAM Roles for Service Accounts (IRSA) - a feature that allows assigning IAM roles directly to Kubernetes service accounts. When a pod is associated with such a service account, the Kubernetes API server uses the clusterβs public OIDC discovery endpoint to validate tokens and enable secure role assumption.
Rationaleβ
Configuring an IAM OIDC provider for an EKS cluster enables fine-grained, pod-level access control to AWS resources. This implementation supports the principle of least privilege, allowing each Kubernetes workload to assume only the permissions it requires.
Additionally, certain core components - such as the Amazon VPC CNI plugin - rely on IRSA to assume roles securely and avoid over-permissioning the node IAM role. Without an OIDC provider, these components fall back to using the EC2 instance profile, which can introduce security risks and complicate auditing.
... see more
Remediationβ
Remediationβ
From Command Lineβ
You can associate an IAM OpenID Connect (OIDC) identity provider with your Amazon EKS cluster using the
eksctlCLI tool.Retrieve the OIDC Issuer URLβ
First, obtain the OIDC issuer URL for your cluster. Replace
{{cluster-name}}with the name of your EKS cluster:cluster_name={{cluster-name}}
oidc_url=$(aws eks describe-cluster \
--name "$cluster_name" \
--query "cluster.identity.oidc.issuer" \
--output text)
echo "$oidc_url"Associate the IAM OIDC Providerβ
Use
eksctlto create an IAM OIDC provider for the EKS cluster:eksctl utils associate-iam-oidc-provider \
--cluster "$cluster_name" \
--approve
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ Cloudaware Framework β πΌ Role-Based Access Control (RBAC) Management | 11 | |||
| πΌ Cloudaware Framework β πΌ Secure Access | 45 |