Step 1
iam:*OpenIDConnectProvider* permissions are not required when creating an EKS cluster with CreateCluster, which creates an OpenID Connect provider URL (OpenID Connect issuer URL) for the cluster (e.g. https://oidc.eks.ap-southeast-2.amazonaws.com/id/ABCABC111222333444ABCABC11122233).
And in CloudTrail, there are no *OpenIDConnectProvider* events logged.
Step 2
After (1), the cluster has an OpenID Connect issuer URL associated with it. To use IAM roles for service accounts, an IAM OIDC provider must exist for the cluster. See here.
Then you need to run ekctl utils associate-iam-oidc-provider, e.g.
$ eksctl utils associate-iam-oidc-provider --cluster=k-test-oicd --approve --region=ap-southeast-2 --profile test-oidc
A Open ID Provider with the same URL as (1) is created.
For this step, this role needs to have at least the following permissions.
iam:CreateOpenIDConnectProvider
iam:GetOpenIDConnectProvider
iam:TagOpenIDConnectProvider
CloudTrail does NOT show the events as well (e.g. CreateOpenIDConnectProvider).
Top comments (0)