- Newest
- Most votes
- Most comments
OIDC Providers will rotate their SSL Certificates on a regular basis.
If you can share the Terraform code and plan it would be useful too
thanks Gary
If I am not mistaken, that OIDC is valid from Wednesday 26 February 2025 at 00:00:00
I get the same SHA1 fingerprint. I believe AWS updated their SSL Cert recently on the OIDC and was expected
data "tls_certificate" "cluster_identity_oidc_issuer" {
url = "https://oidc.eks.eu-central-1.amazonaws.com/id/12DDFC5E08B49F1573B778A784E71BE4"
}
output "url_sha1" {
value = data.tls_certificate.cluster_identity_oidc_issuer.certificates[0].sha1_fingerprint
}
Changes to Outputs:
+ url_sha1 = "06b25927c42a721631c1efd9431e648fa62e1e39"
what happens if I apply it? Or shall I keep both the thumbprints ? Will it break anything in our systems?
AWS secures communication with OIDC identity providers (IdPs) using our library of trusted Certificate Authorities (CAs). If your IdP relies on a certificate that isn't signed by one of these trusted CAs, then we secure communication using the thumbprints you specify.This is an AWS Signed Certificate. therefore the Thumbprints are not used. I would remove the thumbprint_list Line from your Tf as its not applicable in this case. It will not break any of your systems as it stands, the thumprint_list has an invalid sha1 as it expired Cheers Gary
I would also remove
data "tls_certificate" "cluster_identity_oidc_issuer" { url = aws_eks_cluster.cluster.identity[0].oidc[0].issuer }if your only use it as part of your thumbprint_list as its not needed anymore
thanks a lot Gary. You're a saviour
Any time. Glad to be of assistance.
Relevant content
- asked 2 years ago
- asked 7 months ago
AWS OFFICIALUpdated a year ago
Hi Gary, below is the Tf code we use for this setup
data "tls_certificate" "cluster_identity_oidc_issuer" { url = aws_eks_cluster.cluster.identity[0].oidc[0].issuer }
resource "aws_iam_openid_connect_provider" "irsa" { client_id_list = ["sts.amazonaws.com"] thumbprint_list = [data.tls_certificate.cluster_identity_oidc_issuer.certificates[0].sha1_fingerprint] url = aws_eks_cluster.cluster.identity[0].oidc[0].issuer
tags = { "Environment" = var.generic.environment "Client_Prefix" = var.generic.client_prefix } }
resource "consul_keys" "cluster_oidc_issuer" { key { path = "aws/${var.generic.region}/${var.generic.client_prefix}/environments/${var.generic.environment}/kubernetes/cluster/${local.cluster_name_full}/oidc_issuer" value = replace(aws_eks_cluster.cluster.identity[0].oidc[0].issuer, format("https://oidc.eks.%s.amazonaws.com/id/", var.generic.region), "") delete = true } }
is the Issuer URL a 3rd Party URL? ie AWS IAM?
aws_eks_cluster.cluster.identity[0].oidc[0].issuerarn:aws:iam::948758986464:oidc-provider/oidc.eks.eu-central-1.amazonaws.com/id/12DDFC5E08B49F1573B778A784E71BE4
Hope this helps with your question, Gary I guess it is not 3rd party All our URLS are procured using Route 53. IAM picks those urls
If you see my new answer you can see it is infact AWS OIDC Certificate for EKS. Its not a private ACM Cert you own