Status:
not configured β the portal is open until you set this up.
βΎ Required secret formats (AWS Secrets Manager only)
1 Β· SSO config secret:
{
"provider": "google", // or "microsoft"
"client_id": "...",
"client_secret": "...",
"tenant_id": "", // microsoft only (Azure tenant GUID)
"admin_emails": ["[email protected]"], // allowlist β works for both
"admin_group": "" // optional, microsoft Entra group objectId
}
2 Β· kubelogin OAuth secret:
{
"client_id": "...apps.googleusercontent.com",
"client_secret": "...",
"issuer": "https://accounts.google.com"
}
βΎ How to create the OAuth client (Google / Microsoft)
GOOGLE (Desktop app):
1. Google Cloud Console β APIs & Services β Credentials
2. Create credentials β OAuth client ID β Application type: "Desktop app"
3. Copy the Client ID + Client secret
(no redirect URI to set β Desktop apps auto-allow http://localhost)
4. SM JSON:
{"client_id":"β¦apps.googleusercontent.com","client_secret":"β¦",
"issuer":"https://accounts.google.com"}
MICROSOFT (Entra ID / Azure AD):
1. Entra admin center β App registrations β New registration
2. Redirect URI: platform "Mobile and desktop applications" β http://localhost
3. Copy the Application (client) ID and Directory (tenant) ID
4. Certificates & secrets β New client secret β copy the value
5. SM JSON:
{"client_id":"<app-id>","client_secret":"<secret>",
"issuer":"https://login.microsoftonline.com/<tenant-id>/v2.0"}
The same OAuth client (client_id) must be set as the EKS OIDC IdP audience
(Terraform eks-oidc-identity-provider) for tokens to be accepted.