====== OIDC Provider (OpenID Connect) ======

**What it is:** An identity provider integration that allows EKS to issue identities for service accounts.

**What it’s for:**
  * Let AWS STS trust Kubernetes service account tokens.
  * Enable IRSA securely.

**Key ideas:**
  * OIDC is used to validate the identity of the service account.
  * Trust policy on the IAM role references the OIDC provider and conditions.

**Exam cues:**
  * “IRSA requires OIDC provider” → yes, OIDC is essential.

**Hard words:**
  * *provider* /prəˈvaɪdər/: nhà cung cấp
  * *validate* /ˈvælɪdeɪt/: xác minh
  * *condition* /kənˈdɪʃn/: điều kiện