Blog

How to update the thumbprint for an OpenID Connect Identity Provider in CloudFormation

04 Sep, 2022
Xebia Background Header Wave

To update the thumbprint for an OpenID Connect Provider, AWS devotes three pages of manual instructions in the documentation. But, we are impatient and do not like manual stuff. That is why we automated
the process for you. In the blog, we will show you the fast way to update the thumbprint of OpenID identity providers in CloudFormation templates.

It can be done in three easy steps:

  1. install the aws-cfn-update utility
  2. define the open id provider resource in CloudFormation
  3. update the thumbprint list

install aws-cfn-update

To install the utility, just type:

$ pip install aws-cfn-update

define the open id provider

To define an OpenID provider in CloudFormation just takes a few lines, as shown in the following template:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  GitLabCom:
    Type: AWS::IAM::OIDCProvider
    Properties:
      Url: https://gitlab.com
      ClientIdList:
        - https://gitlab.com
      ThumbprintList:
        - i-have-not-got-the-faintest-idea

As you can see, we used a silly value for the fingerprint. Save it in the file oidc-provider.yaml.

update the thumbprint list

To update the thumbprint list, type:

$ aws-cfn-update --verbose oidc-provider-thumbprints oidc-provider.yaml
INFO: updating fingerprint of https://gitlab.com for OIDC provider GitLabCom, CN=gitlab.com,O=Cloudflare, Inc.,L=San Francisco,ST=California,C=US issued by CN=Cloudflare Inc ECC CA-3,O=Cloudflare, Inc.,C=US
INFO: updating fingerprint of https://gitlab.com, for OIDC provider GitLabCom to 962828776ba4dc09a2a0a2b72ff9cd0bd8c33aee, valid until 2022-12-01 23:59:59

Now your template will look like this.

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  GitLabCom:
    Type: AWS::IAM::OIDCProvider
    Properties:
      Url: https://gitlab.com
      ClientIdList:
        - https://gitlab.com
      ThumbprintList:
        - 962828776ba4dc09a2a0a2b72ff9cd0bd8c33aee  # valid until 2022-12-01 23:59:59

That is all. You are ready to go!

Conclusion

With the aws-cfn-update utility, it is really easy to get the fingerprint of the OpenID provider in the thumbprint list. As
the fingerprints have a very short lifetime, you may want to install our AWS Lambda to keep the thumbprint list up-to-date.

Image by Hebi B. from Pixabay

Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Questions?

Get in touch with us to learn more about the subject and related solutions

Explore related posts