[aws-eks] OpenID Connect provider association with AWS account #5388
Description
Freature refers to fine-grained IAM roles for service accounts. In this approach, pods are pods first class citizens in IAM. To make the feature work, OpenID provider which comes with EKS needs to be associated with AWS account. More one here: https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
eksctl does that in one command. Unfortunatelly there is no native cloudformation support so it cannot be set up automatically.
The goal would be to add a parameter to EKS cluster constructor, which would let programmer decide whether to associate the EKS OpenID with AWS IAM.
Use Case
I'd like to use AWS native support for IAM roles for pods rather than 3rd party solutions like role-credential interceptors (kube2iam for instance).
Proposed Solution
kubectl_enabled flag (introduced in CDK 1.4, if I recall correctly), changes the approach to the way how EKS is provisioned. You could follow the same route and perform custom logic after cluster is deployed. The logic would need to perform following steps (more about this here: https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html):
- retrieve OID provider URL from the cluster
- create open id identity provider (https://docs.aws.amazon.com/cli/latest/reference/iam/create-open-id-connect-provider.html). The only difficulty is to get the thumbprint (more about this here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html)
- 👋 I may be able to implement this feature request
-
⚠️ This feature might incur a breaking change
This is a 🚀 Feature Request