To update the thumbprint for an OpenID Connect Provider, AWS devotes three pages of manual instructions in the documentation. But, we are impatient and do not like manual stuff. That is why we automated
the process for you. In the blog, we will show you the fast way to update the thumbprint of OpenID identity providers in CloudFormation templates.
It can be done in three easy steps:
- install the aws-cfn-update utility
- define the open id provider resource in CloudFormation
- update the thumbprint list
install aws-cfn-update
To install the utility, just type:
$ pip install aws-cfn-update
define the open id provider
To define an OpenID provider in CloudFormation just takes a few lines, as shown in the following template:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
GitLabCom:
Type: AWS::IAM::OIDCProvider
Properties:
Url: https://gitlab.com
ClientIdList:
- https://gitlab.com
ThumbprintList:
- i-have-not-got-the-faintest-idea
As you can see, we used a silly value for the fingerprint. Save it in the file oidc-provider.yaml
.
update the thumbprint list
To update the thumbprint list, type:
$ aws-cfn-update --verbose oidc-provider-thumbprints oidc-provider.yaml
INFO: updating fingerprint of https://gitlab.com for OIDC provider GitLabCom, CN=gitlab.com,O=Cloudflare, Inc.,L=San Francisco,ST=California,C=US issued by CN=Cloudflare Inc ECC CA-3,O=Cloudflare, Inc.,C=US
INFO: updating fingerprint of https://gitlab.com, for OIDC provider GitLabCom to 962828776ba4dc09a2a0a2b72ff9cd0bd8c33aee, valid until 2022-12-01 23:59:59
Now your template will look like this.
AWSTemplateFormatVersion: '2010-09-09'
Resources:
GitLabCom:
Type: AWS::IAM::OIDCProvider
Properties:
Url: https://gitlab.com
ClientIdList:
- https://gitlab.com
ThumbprintList:
- 962828776ba4dc09a2a0a2b72ff9cd0bd8c33aee # valid until 2022-12-01 23:59:59
That is all. You are ready to go!
Conclusion
With the aws-cfn-update utility, it is really easy to get the fingerprint of the OpenID provider in the thumbprint list. As
the fingerprints have a very short lifetime, you may want to install our AWS Lambda to keep the thumbprint list up-to-date.