aws-cdk-lib.aws_eks.OpenIdConnectProvider

class OpenIdConnectProvider (construct)

LanguageType name
.NETAmazon.CDK.AWS.EKS.OpenIdConnectProvider
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awseks#OpenIdConnectProvider
Javasoftware.amazon.awscdk.services.eks.OpenIdConnectProvider
Pythonaws_cdk.aws_eks.OpenIdConnectProvider
TypeScript (source)aws-cdk-lib » aws_eks » OpenIdConnectProvider

Implements IConstruct, IDependable, IResource, IOpenIdConnectProvider

IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce.

You use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account.

This implementation has default values for thumbprints and clientIds props that will be compatible with the eks cluster

See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html

Example

// you can import an existing provider
const provider = eks.OpenIdConnectProvider.fromOpenIdConnectProviderArn(this, 'Provider', 'arn:aws:iam::123456:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/AB123456ABC');

// or create a new one using an existing issuer url
declare const issuerUrl: string;
const provider2 = new eks.OpenIdConnectProvider(this, 'Provider', {
  url: issuerUrl,
});

const cluster = eks.Cluster.fromClusterAttributes(this, 'MyCluster', {
  clusterName: 'Cluster',
  openIdConnectProvider: provider,
  kubectlRoleArn: 'arn:aws:iam::123456:role/service-role/k8sservicerole',
});

const serviceAccount = cluster.addServiceAccount('MyServiceAccount');

const bucket = new s3.Bucket(this, 'Bucket');
bucket.grantReadWrite(serviceAccount);

Initializer

new OpenIdConnectProvider(scope: Construct, id: string, props: OpenIdConnectProviderProps)

Parameters

  • scope Construct — The definition scope.
  • id string — Construct ID.
  • props OpenIdConnectProviderProps — Initialization properties.

Defines an OpenID Connect provider.

Construct Props

NameTypeDescription
urlstringThe URL of the identity provider.

url

Type: string

The URL of the identity provider.

The URL must begin with https:// and should correspond to the iss claim in the provider's OpenID Connect ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com.

You can find your OIDC Issuer URL by: aws eks describe-cluster --name %cluster_name% --query "cluster.identity.oidc.issuer" --output text

Properties

NameTypeDescription
envResourceEnvironmentThe environment this resource belongs to.
nodeNodeThe tree node.
openIdConnectProviderArnstringThe Amazon Resource Name (ARN) of the IAM OpenID Connect provider.
openIdConnectProviderIssuerstringThe issuer for OIDC Provider.
openIdConnectProviderthumbprintsstringThe thumbprints configured for this provider.
stackStackThe stack in which this resource is defined.

env

Type: ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


node

Type: Node

The tree node.


openIdConnectProviderArn

Type: string

The Amazon Resource Name (ARN) of the IAM OpenID Connect provider.


openIdConnectProviderIssuer

Type: string

The issuer for OIDC Provider.


openIdConnectProviderthumbprints

Type: string

The thumbprints configured for this provider.


stack

Type: Stack

The stack in which this resource is defined.

Methods

NameDescription
applyRemovalPolicy(policy)Apply the given removal policy to this resource.
toString()Returns a string representation of this construct.

applyRemovalPolicy(policy)

public applyRemovalPolicy(policy: RemovalPolicy): void

Parameters

  • policy RemovalPolicy

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.