This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::EKS::IdentityProviderConfig Associates an identity provider configuration to a cluster. If you want to authenticate identities using an identity provider, you can create an identity provider configuration and associate it to your cluster. After configuring authentication to your cluster you can create Kubernetes `Role` and `ClusterRole` objects, assign permissions to them, and then bind them to the identities using Kubernetes `RoleBinding` and `ClusterRoleBinding` objects. For more information see [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) in the Kubernetes documentation. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::EKS::IdentityProviderConfig", "Properties" : { "[ClusterName](#cfn-eks-identityproviderconfig-clustername)" : String, "[IdentityProviderConfigName](#cfn-eks-identityproviderconfig-identityproviderconfigname)" : String, "[Oidc](#cfn-eks-identityproviderconfig-oidc)" : OidcIdentityProviderConfig, "[Tags](#cfn-eks-identityproviderconfig-tags)" : [ Tag, ... ], "[Type](#cfn-eks-identityproviderconfig-type)" : String } } ``` ### YAML ``` Type: AWS::EKS::IdentityProviderConfig Properties: [ClusterName](#cfn-eks-identityproviderconfig-clustername): String [IdentityProviderConfigName](#cfn-eks-identityproviderconfig-identityproviderconfigname): String [Oidc](#cfn-eks-identityproviderconfig-oidc): OidcIdentityProviderConfig [Tags](#cfn-eks-identityproviderconfig-tags): - Tag [Type](#cfn-eks-identityproviderconfig-type): String ``` ## Properties `ClusterName` The name of your cluster. *Required*: Yes *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `IdentityProviderConfigName` The name of the configuration. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Oidc` An object representing an OpenID Connect (OIDC) identity provider configuration. *Required*: No *Type*: [OidcIdentityProviderConfig](aws-properties-eks-identityproviderconfig-oidcidentityproviderconfig.md) *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Tags` Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or AWS resources. *Required*: No *Type*: Array of [Tag](aws-properties-eks-identityproviderconfig-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Type` The type of the identity provider configuration. The only type available is `oidc`. *Required*: Yes *Type*: String *Allowed values*: `oidc` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the resource name. For example: `{ "Ref": "myIdentityProviderConfig" }` For the IdentityProviderConfig, Ref returns the physical resource ID of the config. For example, `cluster-name/oidc/identity-provider-config-name`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `IdentityProviderConfigArn` The Amazon Resource Name (ARN) associated with the identity provider config. ## Remarks *Creating an identity provider config and Fargate profile resources in the same template.* If CloudFormation attempts to create both resources at the same time, resource creation fails. If you want to create both resources in the same template, then add the `DependsOn` property in your template, as shown in the examples. ## Examples ### Create an identity provider config The following example creates a an identity provider config. If you're not creating an `EKSFargateProfile` in the same template, remove the `"DependsOn"` line in the following example. For more information, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-fargateprofile.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-fargateprofile.html). #### JSON ``` { "EKSIdpConfig": { "DependsOn": "EKSFargateProfile", "Type": "AWS::EKS::IdentityProviderConfig", "Properties": { "ClusterName": "my-cluster", "Type": "oidc", "Oidc": { "ClientId": "kubernetes", "IssuerUrl": "https://example.com" } } } } ``` #### YAML ``` Resources: EKSIdpConfig: DependsOn: EKSFargateProfile Type: AWS::EKS::IdentityProviderConfig Properties: ClusterName: my-cluster Type: oidc Oidc: ClientId: "kubernetes" IssuerUrl: "https://example.com" ``` ## See also + [Authenticating users for your cluster from an OpenID Connect identity provider](https://docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html) in the *Amazon EKS User Guide *. + [AssociateIdentityProviderConfig](https://docs.aws.amazon.com/eks/latest/APIReference/API_AssociateIdentityProviderConfig.html) in the *Amazon EKS API Reference *. # AWS::EKS::IdentityProviderConfig OidcIdentityProviderConfig An object representing the configuration for an OpenID Connect (OIDC) identity provider. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ClientId](#cfn-eks-identityproviderconfig-oidcidentityproviderconfig-clientid)" : String, "[GroupsClaim](#cfn-eks-identityproviderconfig-oidcidentityproviderconfig-groupsclaim)" : String, "[GroupsPrefix](#cfn-eks-identityproviderconfig-oidcidentityproviderconfig-groupsprefix)" : String, "[IssuerUrl](#cfn-eks-identityproviderconfig-oidcidentityproviderconfig-issuerurl)" : String, "[RequiredClaims](#cfn-eks-identityproviderconfig-oidcidentityproviderconfig-requiredclaims)" : [ RequiredClaim, ... ], "[UsernameClaim](#cfn-eks-identityproviderconfig-oidcidentityproviderconfig-usernameclaim)" : String, "[UsernamePrefix](#cfn-eks-identityproviderconfig-oidcidentityproviderconfig-usernameprefix)" : String } ``` ### YAML ``` [ClientId](#cfn-eks-identityproviderconfig-oidcidentityproviderconfig-clientid): String [GroupsClaim](#cfn-eks-identityproviderconfig-oidcidentityproviderconfig-groupsclaim): String [GroupsPrefix](#cfn-eks-identityproviderconfig-oidcidentityproviderconfig-groupsprefix): String [IssuerUrl](#cfn-eks-identityproviderconfig-oidcidentityproviderconfig-issuerurl): String [RequiredClaims](#cfn-eks-identityproviderconfig-oidcidentityproviderconfig-requiredclaims): - RequiredClaim [UsernameClaim](#cfn-eks-identityproviderconfig-oidcidentityproviderconfig-usernameclaim): String [UsernamePrefix](#cfn-eks-identityproviderconfig-oidcidentityproviderconfig-usernameprefix): String ``` ## Properties `ClientId` This is also known as *audience*. The ID of the client application that makes authentication requests to the OIDC identity provider. *Required*: Yes *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `GroupsClaim` The JSON web token (JWT) claim that the provider uses to return your groups. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `GroupsPrefix` The prefix that is prepended to group claims to prevent clashes with existing names (such as `system:` groups). For example, the value` oidc:` creates group names like `oidc:engineering` and `oidc:infra`. The prefix can't contain `system:` *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `IssuerUrl` The URL of the OIDC identity provider that allows the API server to discover public signing keys for verifying tokens. *Required*: Yes *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `RequiredClaims` The key-value pairs that describe required claims in the identity token. If set, each claim is verified to be present in the token with a matching value. *Required*: No *Type*: Array of [RequiredClaim](aws-properties-eks-identityproviderconfig-requiredclaim.md) *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `UsernameClaim` The JSON Web token (JWT) claim that is used as the username. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `UsernamePrefix` The prefix that is prepended to username claims to prevent clashes with existing names. The prefix can't contain `system:` *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) # AWS::EKS::IdentityProviderConfig RequiredClaim A key-value pair that describes a required claim in the identity token. If set, each claim is verified to be present in the token with a matching value. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-eks-identityproviderconfig-requiredclaim-key)" : String, "[Value](#cfn-eks-identityproviderconfig-requiredclaim-value)" : String } ``` ### YAML ``` [Key](#cfn-eks-identityproviderconfig-requiredclaim-key): String [Value](#cfn-eks-identityproviderconfig-requiredclaim-value): String ``` ## Properties `Key` The key to match from the token. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `63` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Value` The value for the key from the token. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `253` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) # AWS::EKS::IdentityProviderConfig Tag The metadata that you apply to a resource to help you categorize and organize them. Each tag consists of a key and an optional value. You define them. The following basic restrictions apply to tags: + Maximum number of tags per resource – 50 + For each resource, each tag key must be unique, and each tag key can have only one value. + Maximum key length – 128 Unicode characters in UTF-8 + Maximum value length – 256 Unicode characters in UTF-8 + If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: \$1 - = . \$1 : / @. + Tag keys and values are case-sensitive. + Do not use `aws:`, `AWS:`, or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for AWS use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-eks-identityproviderconfig-tag-key)" : String, "[Value](#cfn-eks-identityproviderconfig-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-eks-identityproviderconfig-tag-key): String [Value](#cfn-eks-identityproviderconfig-tag-value): String ``` ## Properties `Key` One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key). *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### #### JSON ``` "Tags" : [ { "Key" : "keyname1", "Value" : "value1" }, { "Key" : "keyname2", "Value" : "value2" } ] ``` #### YAML ``` Tags: - Key: "keyname1" Value: "value1" - Key: "keyname2" Value: "value2" ``` ## See also + [Setting CloudFormation stack options](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-add-tags.html) + [Viewing CloudFormation stack data and resources on the AWS Management Console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-view-stack-data-resources.html)