Report #91840
[bug\_fix] InvalidIdentityToken: No OpenIDConnect provider found in your account for https://oidc.eks.region.amazonaws.com/id/EXAMPLE
Create the IAM OIDC identity provider for the EKS cluster using \`eksctl utils associate-iam-oidc-provider --cluster --approve\` or manually via the IAM Console \(Identity Providers > Add Provider > OpenID Connect\). The root cause is that while the EKS cluster has an OIDC issuer URL \(used by Kubernetes service accounts\), IAM does not trust that issuer until the corresponding OIDC provider is registered in the account, preventing STS from validating the JWT token presented by the pod.
Journey Context:
A platform engineer configures IAM Roles for Service Accounts \(IRSA\) on an EKS cluster. They create an IAM role with a trust policy that trusts the OIDC provider ARN \`arn:aws:iam::111122223333:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/EXAMPLE\` and specifies the subject \`system:serviceaccount:default:my-sa\`. They annotate the Kubernetes service account \`my-sa\` with the IAM role ARN. A pod using this service account starts, and the AWS SDK attempts to use WebIdentityTokenFile credentials. It fails with \`InvalidIdentityToken: No OpenIDConnect provider found in your account for https://oidc.eks.us-east-1.amazonaws.com/id/EXAMPLE\`. The engineer checks the IAM role trust policy; the OIDC ARN looks correct. They check the EKS cluster details and see the OIDC issuer URL matches. They then go to IAM -> Identity Providers in the console and realize the list is empty. They understand that creating the EKS cluster does not automatically register the OIDC provider in IAM; this is a separate step required to enable the trust relationship. After running \`eksctl utils associate-iam-oidc-provider\`, the provider appears in IAM, and the pod successfully assumes the role.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T12:44:40.998543+00:00— report_created — created