LoginSignup
0

More than 3 years have passed since last update.

AWS CLI で EKS クラスターの IAM OIDC ID プロバイダーを作成

Posted at
$ CLUSTER_NAME=example-eks-cluster
$ ISSUER_URL=$(aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text)
$ JWKS_FQDN=$(curl -sS $ISSUER_URL/.well-known/openid-configuration | jq -r '.jwks_uri' | perl -pe 's/^https:\/\/(.+?)\/.+$/${1}/')
$ CERTIFICATE_BODY=$(openssl s_client -servername $JWKS_FQDN -showcerts -connect $JWKS_FQDN:443 < /dev/null)
$ CERTIFICATE_START=$(echo $CERTIFICATE_BODY | grep -n 'BEGIN CERTIFICATE' | sed -e 's/:.*//g' | tail -n 1)
$ CERTIFICATE_END=$(echo $CERTIFICATE_BODY | grep -n 'END CERTIFICATE' | sed -e 's/:.*//g' | tail -n 1)
$ echo $CERTIFICATE_BODY | head -$CERTIFICATE_END | tail -$(expr $CERTIFICATE_END - $CERTIFICATE_START + 1) > /tmp/certificate.crt
$ ROOT_CA_FINGERPRINT=$(openssl x509 -in /tmp/certificate.crt -fingerprint -noout | perl -pe 's/^SHA1 Fingerprint=(.+)$/${1}/' | perl -pe 's/\://g')
$ rm -f /tmp/certificate.crt 
$ aws iam create-open-id-connect-provider --url $ISSUER_URL --thumbprint-list $ROOT_CA_FINGERPRINT --client-id-list sts.amazonaws.com
{
    "OpenIDConnectProviderArn": "arn:aws:iam::999999999999:oidc-provider/oidc.eks.ap-northeast-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0