Azure AD as OIDC identity provider authentication for Amazon EKS
With introduction of user authentication for Amazon EKS clusters from an OpenID Connect (OIDC) Identity Provider (IDP). Now it allow us to integrate an OIDC identity provider of our choice with EKS cluster as an alternative to AWS Identity and Access Management (IAM) to manage user access to EKS cluster.
In this blog, I’ll go through how to setup Azure Active Directory (Azure AD) as our OIDC identity provider and integrate with Amazon EKS cluster. Azure AD is Microsoft’s cloud-based identity and access management service. We will create an Azure AD Application to be used as OIDC IDP and assign it with a test user, associate OIDC IDP with Amazon EKS cluster, authorize cluster admin for our Azure AD test users through Kubernetes RBAC, and configure a user to authenticate with kubeconfig using Azure Active Directory plugin for client authentication
A: Create an Azure AD Application (Service Principle Object) to be used as OIDC IDP
1: Login to Azure AD portal as user that has sufficient permission to create Azure AD application and manage permission and select Azure Active Directory from Azure Services.
2: From sidebar click on Enterprise Applications
3: From top click on New Application
4: Again, click on Create your own application
5: It will open a wizard to create an Azure AD Application and provide name for application and click create
6: Navigate back to Azure Active Directory and from sidebar click App registrations
7: Search for you newly create app from step 5 and click
8: Click Add a redirect URI
9: Click Add a platform and select Web
10: Provide a dummy Redirect URI and click Configure
11: From the same page make sure ID tokens is checked and Allow public client flows is set to yes
B: Create an Azure AD Native Application (Application Object) to be used as client
1: Navigate back to Azure Active Directory and from sidebar click App registrations
2: From top select New registration
3: Complete the app registration wizard by providing name and setting a Redirect URI then click Register
4: Click on your newly native app under Owned applications
5: From sidebar select API Permissions to provide this app to access your OIDC application created in step 5 under section A
6: Click Add a permission
7: Select APIs my organization uses and select the Azure AD application created in step 5 under section A
8: Check the user_impersonation and click Add permissions
9: From sidebar select Authentication and make sure ID tokens is checked and Allow public client flows is set to yes
C: Configure EKS Cluster Authentication with Azure AD OIDC IDP
1: Navigate to Amazon EKS console and select your EKS cluster, then click on Configuration and from Authentication tab click on associate Identity provider
2: Complete the Identity Provider Configuration wizard and click Associate
- Issuer URL: https://sts.windows.net/<Tenant ID>
- Client ID: spn:<application id>
- username claim: upn (user principal name)
- Toggle Advanced option and add aad: as prefix for Azure AD users to differentiate between Kubernetes user and Azure AD users.
you can get Tenant id and Client ID from application properties you create in step 5 section A.
D: Configure EKS RBAC Role to allow Azure AD users to perform cluster operations
1: Create a Cluster Role Binding using below config — below role will provide cluster-admin role to AzureAD user admin@example.com.
save below code as a clusterrole.yaml file from below and then run kubectl apply -f clusterrole.yaml
kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:name: aad-cluster-adminsubjects:- kind: Username: aad:admin@example.com (change the name to your user email address)apiGroup: rbac.authorization.k8s.ioroleRef:kind: ClusterRolename: cluster-adminapiGroup: rbac.authorization.k8s.io
2. Before we forget we have to assign users to Azure Application (OIDC App) create in step 5 under section A. Select Application from Enterprise Application list and select Users and groups from sidebar and assign users to have access in this case admin@example.com
E: Testing user login with Azure AD
We will be using Azure Active Directory plugin for client authentication. This plugin provides an integration with Azure Active Directory device flow. If no tokens are present in the kubectl configuration, it will prompt a device code which can be used to login in a browser. After login it will automatically fetch the tokens and store them in the kubectl configuration. In addition it will refresh and update the tokens in the configuration when expired.
1: Create kubeconfig in ~/.kube/config
vi ~/.kube/configadd the following to the config file
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <EKS Certificate Authority data>
server: < EKS API Server endpoint>
name: <cluster name>clusternamecan be freely chosen, but must be unique within your localkubeconfig.- Kubernetes API Server endpoint and CA you can get from the EKS cluster console.
2. Set up a user
kubectl config set-credentials “UPN” --auth-provider=azure \--auth-provider-arg=environment=AzurePublicCloud \
--auth-provider-arg=client-id=APPLICATION_ID \
--auth-provider-arg=tenant-id=TENANT_ID \
--auth-provider-arg=apiserver-id=APISERVER_APPLICATION_ID
UPNAzure AD user email address--auth-provider-arg=client-id=provide the application(client) id for Kubectl-app, created in step 3 under section B.--auth-provider-arg=tenant-id=provide the Directory (tenant) id
--auth-provider-arg=apiserver-id=provide the application(client) id for OIDC application, created in step 5 under section A.
3. Now switch your kubeconfig context
kubectl config set-context <cluster-name> \--cluster=<cluster-name> \--namespace=default \--user="UPN"
4. Usekubectl config use-context <cluster-name> to switch to the newly-created context.
5. Issue kubectl get pods, it will prompt you to login with Azure AD
After Authentication you should see this page and see the pods in your cluster
