Integrating OpenID Connect (OIDC) within AWS EKS involves creating a PingOne OIDC application and configuring the kubectl CLI for OIDC.

You can use the PingOne IdP as an alternative, or in addition, to AWS Identity and Access Management (IAM). With this feature, you can manage user access to your cluster by leveraging an existing identity management life cycle through your OIDC identity provider.

The features and benefits of this configuration are:
Centralized Authentication Policy
User authentication to the EKS can leverage the centralized PingOne Identity Provider policy.
Extended Multi-Factor Authentication
By using PingOne, strong multi-factor authentication can be extended to your EKS user authentication.
Strengthened security using PingOne Protect
By analyzing multiple risk signals, PingOne Protect can identify anomalous activity to block attacks or require strong authentication methods, providing a greater level of assurance of your users’ identities.


Before you begin

Make sure you have the following:

  • A basic understanding of OIDC and OAuth 2.0 protocols
  • An understanding of JSON Web Tokens
  • A local installation of AWD CLI for configuring the OIDC integration within Amazon EKS
  • AWS CLI installed and configured to the existing AWS EKS Cluster
  • A PingOne for Enterprise account (

For more information, see Integrate an OIDC application.