{"id":49895,"date":"2025-07-01T01:54:44","date_gmt":"2025-07-01T01:54:44","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=49895"},"modified":"2025-07-01T01:54:44","modified_gmt":"2025-07-01T01:54:44","slug":"what-is-oidc-identity-provider","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/what-is-oidc-identity-provider\/","title":{"rendered":"What is OIDC identity provider?"},"content":{"rendered":"\n<p>Great question! Here\u2019s a clear, non-technical explanation and then a technical one for <strong>OIDC identity provider<\/strong>, especially in the context of Kubernetes and AWS.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>In Simple Words:<\/strong><\/h2>\n\n\n\n<p><strong>OIDC<\/strong> stands for <strong>OpenID Connect<\/strong>.<br>An <strong>OIDC identity provider<\/strong> is like a trusted gatekeeper that verifies \u201cwho you are\u201d on the internet or within an organization.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you\u2019ve ever logged into a website using <strong>Google, Facebook, or Apple<\/strong>, you used an OIDC identity provider.<\/li>\n\n\n\n<li>In Kubernetes and AWS, the OIDC identity provider lets AWS \u201ctrust\u201d that a Kubernetes pod is really who it says it is.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>In the Context of AWS EKS and Kubernetes:<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Every EKS cluster can have an <strong>OIDC provider URL<\/strong> (something like <code>https:\/\/oidc.eks.us-west-2.amazonaws.com\/id\/EXAMPLED539D4633E53DE1B71EXAMPLE<\/code>).<\/li>\n\n\n\n<li>AWS uses this OIDC provider to verify which Kubernetes <strong>service account<\/strong> (and thus which pod) is asking for permissions.<\/li>\n\n\n\n<li>This enables <strong>IAM Roles for Service Accounts (IRSA)<\/strong>\u2014so specific pods can get their own AWS permissions, safely and securely.<\/li>\n<\/ul>\n\n\n\n<p><strong>Analogy:<\/strong><br>Imagine you\u2019re at a club. The bouncer (AWS) will only let you in (give you permissions) if your ID badge (from OIDC provider) matches what\u2019s on their approved list (IAM role trust policy).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>In Technical Terms:<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OIDC (OpenID Connect)<\/strong> is an identity layer built on top of OAuth 2.0, an open standard for authentication.<\/li>\n\n\n\n<li>An <strong>OIDC identity provider<\/strong> is a service that can:\n<ul class=\"wp-block-list\">\n<li><strong>Issue identity tokens<\/strong> (JWTs) after authenticating a user or system.<\/li>\n\n\n\n<li><strong>Sign these tokens<\/strong> so other systems (like AWS) can trust them.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>In AWS EKS, the <strong>OIDC provider<\/strong> is set up for your cluster, and AWS recognizes the tokens your Kubernetes cluster issues to service accounts.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Why is this important?<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Secure authentication:<\/strong> Lets AWS know exactly which K8s pod\/service account is making a request.<\/li>\n\n\n\n<li><strong>Fine-grained permissions:<\/strong> Only the pod with the right service account and OIDC-issued token gets the IAM role.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>In Summary:<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OIDC identity provider<\/strong> = a system that can vouch for identities in a secure, trusted way.<\/li>\n\n\n\n<li>In EKS, it\u2019s the bridge between AWS IAM and Kubernetes service accounts for secure, pod-level permissions.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Here\u2019s <strong>how to check if your AWS EKS cluster has an OIDC identity provider set up, and how to set it up if it\u2019s missing<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>A. How to Check If OIDC Provider Is Already Set Up for Your EKS Cluster<\/strong><\/h1>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Get your EKS cluster name and region.<\/strong><\/li>\n\n\n\n<li><strong>List the OIDC provider for your cluster with the AWS CLI:<\/strong><code>aws eks describe-cluster --name &lt;your-cluster-name> --region &lt;region><\/code>\n<ul class=\"wp-block-list\">\n<li>Look for the <code>identity<\/code> section in the output: <code>\"identity\": { \"oidc\": { \"issuer\": \"https:\/\/oidc.eks.&lt;region>.amazonaws.com\/id\/XXXXXXXXXXXXXXX\" } }<\/code><\/li>\n\n\n\n<li><strong>If you see the <code>issuer<\/code> URL, your EKS cluster has an OIDC provider endpoint.<\/strong><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Check if the OIDC provider is associated with your AWS account:<\/strong><code>aws iam list-open-id-connect-providers<\/code>\n<ul class=\"wp-block-list\">\n<li>Look for one that matches your EKS cluster\u2019s OIDC <code>issuer<\/code> URL.<\/li>\n\n\n\n<li>Optionally, verify in the AWS Console under <strong>IAM > Identity providers<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>B. How to Set Up (Associate) an OIDC Provider for Your EKS Cluster<\/strong><\/h1>\n\n\n\n<p>If you <strong>do not<\/strong> see your OIDC provider listed, run:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">eksctl utils associate-iam-oidc-provider \\\n  --region <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">region<\/span>&gt;<\/span> \\\n  --cluster <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">your-cluster-name<\/span>&gt;<\/span> \\\n  --approve\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<ul class=\"wp-block-list\">\n<li>This command checks if the provider exists and <strong>creates it if missing<\/strong>.<\/li>\n\n\n\n<li>It associates your EKS cluster\u2019s OIDC issuer URL with your AWS account, enabling IAM Roles for Service Accounts (IRSA).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>C. How to Check in the AWS Console<\/strong><\/h1>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>IAM > Identity providers<\/strong> in the AWS Management Console.<\/li>\n\n\n\n<li>You should see an entry of <strong>Provider Type: OpenID Connect<\/strong> with the URL that matches your EKS cluster\u2019s OIDC issuer URL.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Summary Table<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Step<\/th><th>Command<\/th><\/tr><\/thead><tbody><tr><td>Check OIDC in EKS cluster<\/td><td><code>aws eks describe-cluster --name &lt;name&gt; --region &lt;region&gt;<\/code><\/td><\/tr><tr><td>List OIDC providers (AWS)<\/td><td><code>aws iam list-open-id-connect-providers<\/code><\/td><\/tr><tr><td>Associate OIDC with cluster<\/td><td><code>eksctl utils associate-iam-oidc-provider ...<\/code><\/td><\/tr><tr><td>AWS Console<\/td><td>IAM &gt; Identity Providers<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Great question! Here\u2019s a clear, non-technical explanation and then a technical one for OIDC identity provider, especially in the context of Kubernetes and AWS. In Simple Words: OIDC stands for&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-49895","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49895","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=49895"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49895\/revisions"}],"predecessor-version":[{"id":49896,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49895\/revisions\/49896"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=49895"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=49895"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=49895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}