Useful EKSctl / Kubectl / Helm commands > AWS > Using OIDC to authenticate users on EKS

Using OIDC to authenticate users on EKS

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin
rules:
- apiGroups:
  - ""
  resources:
  - "" 
  verbs:
  - ""

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin-role-binding
  namespace: default
subjects:
- kind: Group
  name: "gid:admin"
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: viewer
rules:
- apiGroups:
  - ""
  resources:
  - "" 
  verbs:
  - "get"
  - "watch"
  - "list"

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: viewer-role-binding
  namespace: default
subjects:
- kind: Group
  name: "gid:viewer"
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

kubectl create -f clusterrole-admin.yaml
kubectl create -f clusterrole-viewer.yaml
kubectl create -f rolebinding-admin.yaml
kubectl create -f rolebinding-viewer.yaml

POOL_ID=us-west-2_4zc6goGPt
CLIENT_ID=5aggotjr7lg5j3s97tbp5ujvrf
GROUP=admin
COGNITO_REGION=us-west-2
EKS_REGION=ap-south-1
ISSUER_URL=https://dubber-nonprod.auth.us-west-2.amazoncognito.com/${POOL_ID}
AWS_ACCOUNT=096886091539 # This is the account where the cluster lives, not Cognito

read -s username
read -s password

aws cognito-idp admin-initiate-auth --auth-flow ADMIN_USER_PASSWORD_AUTH \
--client-id $CLIENT_ID \
--auth-parameters USERNAME=${username},PASSWORD=${password} \
--user-pool-id $POOL_ID \
--query 'AuthenticationResult.[RefreshToken, IdToken]' \
--profile dubber-dev \
--region $COGNITO_REGION
--output text | cut -f 2 -d. 

REFRESH_TOKEN=""
ID_TOKEN=""