OIDC provider thumbprints - optional

Question

Hello,

Following this article https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html#manage-oidc-provider-console, it says:
```
"AWS secures communication with some OIDC identity providers (IdPs) through our library of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to verify your IdP server certificate. These OIDC IdPs include Auth0, GitHub, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) endpoint. In these cases, your legacy thumbprint remains in your configuration, but is no longer used for validation."
```

I was trying to create an OIDC provider without providing a thumbprint, but getting these errors:

```
oadler@fedora:rosa $ aws iam create-open-id-connect-provider --url "https://d3gt1gce2zmg3d.cloudfront.net/25mar6dtg943vg319du08o2k5bcnmb61" --tags Key="managed",Value="true"

usage: aws [options]   [ ...] [parameters]
To see help text, you can run:

aws help
  aws  help
  aws   help

aws: error: the following arguments are required: --thumbprint-list
```

```
oadler@dhcp-0-129:rosa$ aws iam create-open-id-connect-provider --url "https://d3gt1gce2zmg3d.cloudfront.net/25mar6dtg943vg319du08o2k5bcnmb61" --thumbprint-list --tags Key="managed",Value="true"

An error occurred (InvalidInput) when calling the CreateOpenIDConnectProvider operation: The thumbprint list must contain at least one entry.
```

From the article, it seems like the thumbprint is optional, but then it's required in API calls.

Is there a way to create an OIDC provider without providing a thumbprint?
Given this saying:
`your legacy thumbprint remains in your configuration but is no longer used for validation `

Thanks,
Ori

Answer

Hello Ori,

You can create an IAM OIDC identity provider with the AWS Command Line Interface, the Tools for Windows PowerShell, or the IAM API. When you use these methods, you must obtain the thumbprint manually and supply it to AWS. When you create an OIDC identity provider with the IAM console, the console attempts to fetch the thumbprint for you. We recommend that you also obtain the thumbprint for your OIDC IdP manually and verify that the console fetched the correct thumbprint.

The AWS CLI command to create Open ID connect provider (create-open-id-connect-provider) has two required parameters -

- url
- thumbprint-list

[+] create-open-id-connect-provider CLI reference -
https://docs.aws.amazon.com/cli/latest/reference/iam/create-open-id-connect-provider.html

Hence, it is required that you have to provide the thumbprint in order to successfully create an Open ID connect provider in AWS via CLI.

[+] Obtaining the thumbprint for an OpenID Connect Identity Provider -
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

When creating the Open ID connect provider via the AWS management console, AWS attempts to fetch the thumbprint for you. However in case of Open ID connect provider such as Auth0, GitHub, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) endpoint, instead of using a certificate thumbprint, AWS would use its library of trusted root certificate authorities (CAs) to verify the IdP server certificate.

You can create an OIDC provider without manually providing the thumbprint by creating the OIDC provider via the AWS management console. AWS would fetch the thumbprint for you. However, it is recommended that you validate that the console fetched the correct thumbprint.

Regards,

Suryansh

OIDC provider thumbprints - optional

Relevant content