Associate an identity provider configuration to a cluster.

If you want to authenticate identities using an identity provider, you can create an identity provider configuration and associate it to your cluster. After configuring authentication to your cluster you can create Kubernetes roles and clusterroles to assign permissions to the roles, and then bind the roles to the identities using Kubernetes rolebindings and clusterrolebindings . For more information see Using RBAC Authorization in the Kubernetes documentation.

See also: AWS API Documentation

Request Syntax

response = client.associate_identity_provider_config(
        'identityProviderConfigName': 'string',
        'issuerUrl': 'string',
        'clientId': 'string',
        'usernameClaim': 'string',
        'usernamePrefix': 'string',
        'groupsClaim': 'string',
        'groupsPrefix': 'string',
        'requiredClaims': {
            'string': 'string'
        'string': 'string'
  • clusterName (string) --


    The name of the cluster to associate the configuration to.

  • oidc (dict) --


    An object representing an OpenID Connect (OIDC) identity provider configuration.

    • identityProviderConfigName (string) -- [REQUIRED]

      The name of the OIDC provider configuration.

    • issuerUrl (string) -- [REQUIRED]

      The URL of the OpenID identity provider that allows the API server to discover public signing keys for verifying tokens. The URL must begin with https:// and should correspond to the iss claim in the provider's OIDC ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like or . This URL should point to the level below .well-known/openid-configuration and must be publicly accessible over the internet.

    • clientId (string) -- [REQUIRED]

      This is also known as audience . The ID for the client application that makes authentication requests to the OpenID identity provider.

    • usernameClaim (string) --

      The JSON Web Token (JWT) claim to use as the username. The default is sub , which is expected to be a unique identifier of the end user. You can choose other claims, such as email or name , depending on the OpenID identity provider. Claims other than email are prefixed with the issuer URL to prevent naming clashes with other plug-ins.

    • usernamePrefix (string) --

      The prefix that is prepended to username claims to prevent clashes with existing names. If you do not provide this field, and username is a value other than email , the prefix defaults to issuerurl# . You can use the value - to disable all prefixing.

    • groupsClaim (string) --

      The JWT claim that the provider uses to return your groups.

    • groupsPrefix (string) --

      The prefix that is prepended to group claims to prevent clashes with existing names (such as system: groups). For example, the value oidc: will create group names like oidc:engineering and oidc:infra .

    • requiredClaims (dict) --

      The key value pairs that describe required claims in the identity token. If set, each claim is verified to be present in the token with a matching value. For the maximum number of claims that you can require, see Amazon EKS service quotas in the Amazon EKS User Guide .

      • (string) --
        • (string) --
  • tags (dict) --

    The metadata to apply to the configuration to assist with categorization and organization. Each tag consists of a key and an optional value. You define both.

    • (string) --
      • (string) --
  • clientRequestToken (string) --

    Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

    This field is autopopulated if not provided.

Return type



Response Syntax

    'update': {
        'id': 'string',
        'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
        'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate',
        'params': [
                'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage',
                'value': 'string'
        'createdAt': datetime(2015, 1, 1),
        'errors': [
                'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
                'errorMessage': 'string',
                'resourceIds': [
    'tags': {
        'string': 'string'

Response Structure

  • (dict) --

    • update (dict) --

      An object representing an asynchronous update.

      • id (string) --

        A UUID that is used to track the update.

      • status (string) --

        The current status of the update.

      • type (string) --

        The type of the update.

      • params (list) --

        A key-value map that contains the parameters associated with the update.

        • (dict) --

          An object representing the details of an update request.

          • type (string) --

            The keys associated with an update request.

          • value (string) --

            The value of the keys submitted as part of an update request.

      • createdAt (datetime) --

        The Unix epoch timestamp in seconds for when the update was created.

      • errors (list) --

        Any errors associated with a Failed update.

        • (dict) --

          An object representing an error when an asynchronous operation fails.

          • errorCode (string) --

            A brief description of the error.

            • SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
            • SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
            • EniLimitReached : You have reached the elastic network interface limit for your account.
            • IpNotAvailable : A subnet associated with the cluster doesn't have any free IP addresses.
            • AccessDenied : You don't have permissions to perform the specified operation.
            • OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
            • VpcIdNotFound : We couldn't find the VPC associated with the cluster.
          • errorMessage (string) --

            A more complete description of the error.

          • resourceIds (list) --

            An optional field that contains the resource IDs associated with the error.

            • (string) --
    • tags (dict) --

      The tags for the resource.

      • (string) --
        • (string) --


  • EKS.Client.exceptions.InvalidParameterException
  • EKS.Client.exceptions.ClientException
  • EKS.Client.exceptions.ServerException
  • EKS.Client.exceptions.ResourceInUseException
  • EKS.Client.exceptions.ResourceNotFoundException
  • EKS.Client.exceptions.InvalidRequestException