class Aws::EKS::Types::OidcIdentityProviderConfigRequest
An object representing an OpenID Connect (OIDC
) configuration. Before associating an OIDC
identity provider to your cluster, review the considerations in [Authenticating users for your cluster from an OpenID Connect identity provider] in the *Amazon EKS
User Guide*.
[1]: docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html
@note When making an API call, you may pass OidcIdentityProviderConfigRequest
data as a hash: { identity_provider_config_name: "String", # required issuer_url: "String", # required client_id: "String", # required username_claim: "String", username_prefix: "String", groups_claim: "String", groups_prefix: "String", required_claims: { "requiredClaimsKey" => "requiredClaimsValue", }, }
@!attribute [rw] identity_provider_config_name
The name of the OIDC provider configuration. @return [String]
@!attribute [rw] issuer_url
The URL of the OpenID identity provider that allows the API server to discover public signing keys for verifying tokens. The URL must begin with `https://` and should correspond to the `iss` claim in the provider's OIDC ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like `https://server.example.org` or `https://example.com`. This URL should point to the level below `.well-known/openid-configuration` and must be publicly accessible over the internet. @return [String]
@!attribute [rw] client_id
This is also known as *audience*. The ID for the client application that makes authentication requests to the OpenID identity provider. @return [String]
@!attribute [rw] username_claim
The JSON Web Token (JWT) claim to use as the username. The default is `sub`, which is expected to be a unique identifier of the end user. You can choose other claims, such as `email` or `name`, depending on the OpenID identity provider. Claims other than `email` are prefixed with the issuer URL to prevent naming clashes with other plug-ins. @return [String]
@!attribute [rw] username_prefix
The prefix that is prepended to username claims to prevent clashes with existing names. If you do not provide this field, and `username` is a value other than `email`, the prefix defaults to `issuerurl#`. You can use the value `-` to disable all prefixing. @return [String]
@!attribute [rw] groups_claim
The JWT claim that the provider uses to return your groups. @return [String]
@!attribute [rw] groups_prefix
The prefix that is prepended to group claims to prevent clashes with existing names (such as `system:` groups). For example, the value` oidc:` will create group names like `oidc:engineering` and `oidc:infra`. @return [String]
@!attribute [rw] required_claims
The key value pairs that describe required claims in the identity token. If set, each claim is verified to be present in the token with a matching value. For the maximum number of claims that you can require, see [Amazon EKS service quotas][1] in the *Amazon EKS User Guide*. [1]: https://docs.aws.amazon.com/eks/latest/userguide/service-quotas.html @return [Hash<String,String>]
@see docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/OidcIdentityProviderConfigRequest AWS API Documentation
Constants
- SENSITIVE