https://pulumi.com logo
#aws
Title
# aws
g

gorgeous-lunch-7514

09/14/2023, 2:17 PM
also trying
Copy code
// OpenID config
const oidcConfig = oidcProviderURL.apply(url => {
  return axios.get(`https://${url}/.well-known/openid-configuration`).then(response => response.data);
});

// Get thumbprint of the OIDC issuer identity using certificate authority data.
const oidcProviderThumbprint = oidcConfig.apply(config => {
  const parsedJwksUri = new URL(config.jwks_uri);
  // Use TLS to get hostname's SSL certificate.
  const tlsSocket = tls.connect(443, parsedJwksUri.hostname, { servername: parsedJwksUri.hostname });
  return new Promise((resolve, reject) => {
    tlsSocket.on("secureConnect", () => {
      const certificate = tlsSocket.getPeerCertificate();
      tlsSocket.end();
      console.log(certificate.fingerprint)
      const fingerprint = certificate.fingerprint.replace(/:/g, "").toUpperCase();
      resolve(fingerprint);
    });
    tlsSocket.on("error", (error) => {
      reject(error);
    });
  });
});
b

billowy-army-68599

09/14/2023, 2:18 PM
what’s going on here? why are you trying to build your own OIDC cert?
it’s a hard coded thumbprint
g

gorgeous-lunch-7514

09/14/2023, 2:19 PM
Apologies if what I’m trying to do is clear, I’m create to create add the eks OIDC provider to IAM, I’m trying to generate a thumbprint
b

billowy-army-68599

09/14/2023, 2:20 PM
can you share your full code?
g

gorgeous-lunch-7514

09/14/2023, 2:20 PM
for sure
Copy code
// Get OIDC issuer identity.
const oidcProviderURL = cluster.eksCluster.identities.apply(identities => {
  return identities[0].oidcs[0].issuer.replace(/(^\w+:|^)\/\//, "").replace(/\/$/, "");
});

// Get AWS Account ID.
const awsAccountID = aws.getCallerIdentity().then(identity => identity.accountId);

// OpenID config
const oidcConfig = oidcProviderURL.apply(url => {
  return axios.get(`https://${url}/.well-known/openid-configuration`).then(response => response.data);
});

// Get thumbprint of the OIDC issuer identity using certificate authority data.
const oidcProviderThumbprint = oidcConfig.apply(config => {
  const parsedJwksUri = new URL(config.jwks_uri);
  // Use TLS to get hostname's SSL certificate.
  const tlsSocket = tls.connect(443, parsedJwksUri.hostname, { servername: parsedJwksUri.hostname });
  return new Promise((resolve, reject) => {
    tlsSocket.on("secureConnect", () => {
      const certificate = tlsSocket.getPeerCertificate();
      tlsSocket.end();
      console.log(certificate.fingerprint)
      const fingerprint = certificate.fingerprint.replace(/:/g, "").toUpperCase();
      resolve(fingerprint);
    });
    tlsSocket.on("error", (error) => {
      reject(error);
    });
  });
});

// Get thumbprint of the OIDC issuer identity using certificate authority data.
// const oidcProviderThumbprint = cluster.eksCluster.certificateAuthority.apply(ca => {
//   const data = ca.data;
//   const ascii = Buffer.from(data, "base64").toString("ascii");
//   const thumbprint = crypto.createHash("sha1").update(ascii).digest("hex");
//   return thumbprint.toUpperCase();
// });


// Create an IAM OIDC provider.
const oidcProvider = new aws.iam.OpenIdConnectProvider(`${projectName}-oidc-provider`, {
  clientIdLists: ["<http://sts.amazonaws.com|sts.amazonaws.com>"],
  url: oidcProviderURL.apply(url => `https://${url}`),
  thumbprintLists: [oidcProviderThumbprint],
});
b

billowy-army-68599

09/14/2023, 2:21 PM
does the EKS package not work for you?
g

gorgeous-lunch-7514

09/14/2023, 2:23 PM
It does in most cases the following code had produced a fingerprint that was seen as invalid:
Copy code
const oidcProviderThumbprint = cluster.eksCluster.certificateAuthority.apply(ca => {
  const data = ca.data;
  const ascii = Buffer.from(data, "base64").toString("ascii");
  const thumbprint = crypto.createHash("sha1").update(ascii).digest("hex");
  return thumbprint;
});
So I was thinking perhaps I need to use the config to get the cert isntead
and maybe the cert was wrong
tbh i should’ve compared the certs instead of going down this other rabbit hole
b

billowy-army-68599

09/14/2023, 2:25 PM
yeah
getCertificate
from the TLS package is likely easier
fwiw, I built an EKS package that includes lots of best practices: https://www.pulumi.com/registry/packages/lbrlabs-eks/
g

gorgeous-lunch-7514

09/14/2023, 2:26 PM
If only I saw this months ago haha, cheers for the assist. I’ll have a stab now
Much appreciated, the following is working perfectly
Copy code
// Create an IAM OIDC provider.
const oidcProvider = new aws.iam.OpenIdConnectProvider(`${projectName}-oidc-provider`, {
  clientIdLists: ["<http://sts.amazonaws.com|sts.amazonaws.com>"],
  url: oidcProviderURL.apply(url => `https://${url}`),
  thumbprintLists: oidcProviderURL.apply(url => {
    // Get certificate of the OIDC issuer identity using certificate of the OIDC hostname using TLS
    const certificate = tls.getCertificate({
      url: `https://${url}`,
    });
    return certificate.then(certificate => {
      return [certificate.certificates[0].sha1Fingerprint];
    });
  }),
});