We have our own Kubernetes cluster built using kops. We are using Azure AD and Dex for authentication. Now we are planning to move to AWS EKS and want to make use of Azure AD so that we do not have to re-create all the users in IAM.
Is there any way to integrate the existing Azure AD with AWS EKS native OIDC?
If yes, can you please help me with the steps or link me to the documentation for the same?
The documentation on AWS needs us to use more of the AWS services and I think that will be anyways a replication of the Azure AD.
Interesting question - I have not done this myself so apologies if I am misunderstanding anything. Here are some first impressions from an OAuth viewpoint, having used both providers. I'd be interested in how you get on, since I may be looking into this type of solution in the near future.
Looking at the AWS EKS OIDC Docs it looks like this should be a case of using the Associate Identity Provider option, then entering the Azure AD issuer URL, and possibly adding a '.well-known/openid-configuration' suffix for the metadata endpoint:
In your scenario I would aim to totally avoid AWS Cognito and use only Azure AD as your IAM system, since this would cut out a lot of complexity. You then need to test and see if there are any blocking issues.
We always hope that the solutions from the major cloud providers are standards based, but too often vendor specific behaviour means they don't play together nicely - hopefully this one works though.
Another option is to do OIDC federated logins between Cognito and Azure AD, as in this blog post of mine, where:
This would require you to run 2 IAM systems and deal with account linking match ups, so I would use it only as a last resort.