https://pulumi.com logo
Title
b

bland-pharmacist-96854

01/17/2023, 12:25 PM
Good morning. How should I add an identity provider to a new EKS cluster using pulumi eks package? I set the
create_oidc_provider
to true. This creates the idp provider in the iam but it does not associate it with the cluster
b

billowy-army-68599

01/17/2023, 1:13 PM
have you used OIDC before with EKS? Creating the provider is all you need to do, once you’ve got that you just need to create a service account and a related policy. There’s an example here in typescript: https://github.com/jaxxstorm/pulumi-examples/blob/main/typescript/aws/eks-platform/alb-ingress-controller/index.ts
b

bland-pharmacist-96854

01/17/2023, 1:17 PM
Do you mean that it is not necessary to associate the created IDP?
b

billowy-army-68599

01/17/2023, 1:22 PM
this happens when you implement a service account, the UI doesn’t exactly track the API
b

bland-pharmacist-96854

01/17/2023, 1:35 PM
ah thanks!
https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-enable-IAM.html#setting-up-OIDC-console so do you mean that by setting that flag to True, this step will be done entirely?
b

billowy-army-68599

01/17/2023, 1:40 PM
that command is what happens when you do
create_oidc_provider
and then create an IAM role with
sts:AssumeRoleWithWebIdentity
b

bland-pharmacist-96854

01/17/2023, 1:42 PM
ok, thanks.
last question, is there any better way to do this: https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-cluster-access.html Now I have a yaml manifest that I apply to the new EKs cluster using
kubernetes.yaml.ConfigFile
but looking at
pulumi-eks
looks like maybe I can do that directly with
creation_role_provider
?
https://pulumi-community.slack.com/archives/CRFURDVQB/p1673962852363789?thread_ts=1673958343.040869&cid=CRFURDVQB But in that AWS document, they are not doing anything related
sts:AssumeRoleWithWebIdentity
right? did you say that thinking about the future?
for OIDC you do the following things: • create an OIDC provider (performed with
create_oidc_provider
on the cluster • create an IAM role which is associated with the oidc provider: https://github.com/jaxxstorm/pulumi-examples/blob/main/typescript/aws/eks-platform/alb-ingress-controller/index.ts#L19-L39 • annotate a service account to associate the role
Now I have a yaml manifest that I apply to the new EKs cluster using kubernetes.yaml.ConfigFile but looking at pulumi-eks looks like maybe I can do that directly with
no, these are two distinct and separate steps
b

bland-pharmacist-96854

01/17/2023, 2:40 PM
so, related to this, do you know how can I automate the 3rd step of this document using pulumi? https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-cluster-access.html#setting-up-cluster-access-manual
b

billowy-army-68599

01/17/2023, 3:02 PM
I don’t have any experience with that, no