class Aws::EKS::Types::OidcIdentityProviderConfigRequest

An object representing an OpenID Connect (OIDC) configuration. Before associating an OIDC identity provider to your cluster, review the considerations in [Authenticating users for your cluster from an OpenID Connect identity provider] in the *Amazon EKS User Guide*.

[1]: docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html

@note When making an API call, you may pass OidcIdentityProviderConfigRequest

data as a hash:

    {
      identity_provider_config_name: "String", # required
      issuer_url: "String", # required
      client_id: "String", # required
      username_claim: "String",
      username_prefix: "String",
      groups_claim: "String",
      groups_prefix: "String",
      required_claims: {
        "requiredClaimsKey" => "requiredClaimsValue",
      },
    }

@!attribute [rw] identity_provider_config_name

The name of the OIDC provider configuration.
@return [String]

@!attribute [rw] issuer_url

The URL of the OpenID identity provider that allows the API server
to discover public signing keys for verifying tokens. The URL must
begin with `https://` and should correspond to the `iss` claim in
the provider's OIDC ID tokens. Per the OIDC standard, path
components are allowed but query parameters are not. Typically the
URL consists of only a hostname, like `https://server.example.org`
or `https://example.com`. This URL should point to the level below
`.well-known/openid-configuration` and must be publicly accessible
over the internet.
@return [String]

@!attribute [rw] client_id

This is also known as *audience*. The ID for the client application
that makes authentication requests to the OpenID identity provider.
@return [String]

@!attribute [rw] username_claim

The JSON Web Token (JWT) claim to use as the username. The default
is `sub`, which is expected to be a unique identifier of the end
user. You can choose other claims, such as `email` or `name`,
depending on the OpenID identity provider. Claims other than `email`
are prefixed with the issuer URL to prevent naming clashes with
other plug-ins.
@return [String]

@!attribute [rw] username_prefix

The prefix that is prepended to username claims to prevent clashes
with existing names. If you do not provide this field, and
`username` is a value other than `email`, the prefix defaults to
`issuerurl#`. You can use the value `-` to disable all prefixing.
@return [String]

@!attribute [rw] groups_claim

The JWT claim that the provider uses to return your groups.
@return [String]

@!attribute [rw] groups_prefix

The prefix that is prepended to group claims to prevent clashes with
existing names (such as `system:` groups). For example, the value`
oidc:` will create group names like `oidc:engineering` and
`oidc:infra`.
@return [String]

@!attribute [rw] required_claims

The key value pairs that describe required claims in the identity
token. If set, each claim is verified to be present in the token
with a matching value. For the maximum number of claims that you can
require, see [Amazon EKS service quotas][1] in the *Amazon EKS User
Guide*.

[1]: https://docs.aws.amazon.com/eks/latest/userguide/service-quotas.html
@return [Hash<String,String>]

@see docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/OidcIdentityProviderConfigRequest AWS API Documentation

Constants

SENSITIVE