also trying ``` OpenID config const oidcConfig = oidcProvide Pulumi Community #aws

also trying ```// OpenID config const oidcConfig =...

gorgeous-lunch-7514

09/14/2023, 2:17 PM

also trying

Copy code

// OpenID config
const oidcConfig = oidcProviderURL.apply(url => {
  return axios.get(`https://${url}/.well-known/openid-configuration`).then(response => response.data);
});

// Get thumbprint of the OIDC issuer identity using certificate authority data.
const oidcProviderThumbprint = oidcConfig.apply(config => {
  const parsedJwksUri = new URL(config.jwks_uri);
  // Use TLS to get hostname's SSL certificate.
  const tlsSocket = tls.connect(443, parsedJwksUri.hostname, { servername: parsedJwksUri.hostname });
  return new Promise((resolve, reject) => {
    tlsSocket.on("secureConnect", () => {
      const certificate = tlsSocket.getPeerCertificate();
      tlsSocket.end();
      console.log(certificate.fingerprint)
      const fingerprint = certificate.fingerprint.replace(/:/g, "").toUpperCase();
      resolve(fingerprint);
    });
    tlsSocket.on("error", (error) => {
      reject(error);
    });
  });
});

billowy-army-68599

09/14/2023, 2:18 PM

what’s going on here? why are you trying to build your own OIDC cert?

billowy-army-68599

09/14/2023, 2:18 PM

it’s a hard coded thumbprint

gorgeous-lunch-7514

09/14/2023, 2:19 PM

Apologies if what I’m trying to do is clear, I’m create to create add the eks OIDC provider to IAM, I’m trying to generate a thumbprint

billowy-army-68599

09/14/2023, 2:20 PM

can you share your full code?

gorgeous-lunch-7514

09/14/2023, 2:20 PM

for sure

gorgeous-lunch-7514

09/14/2023, 2:20 PM

Copy code

// Get OIDC issuer identity.
const oidcProviderURL = cluster.eksCluster.identities.apply(identities => {
  return identities[0].oidcs[0].issuer.replace(/(^\w+:|^)\/\//, "").replace(/\/$/, "");
});

// Get AWS Account ID.
const awsAccountID = aws.getCallerIdentity().then(identity => identity.accountId);

// OpenID config
const oidcConfig = oidcProviderURL.apply(url => {
  return axios.get(`https://${url}/.well-known/openid-configuration`).then(response => response.data);
});

// Get thumbprint of the OIDC issuer identity using certificate authority data.
const oidcProviderThumbprint = oidcConfig.apply(config => {
  const parsedJwksUri = new URL(config.jwks_uri);
  // Use TLS to get hostname's SSL certificate.
  const tlsSocket = tls.connect(443, parsedJwksUri.hostname, { servername: parsedJwksUri.hostname });
  return new Promise((resolve, reject) => {
    tlsSocket.on("secureConnect", () => {
      const certificate = tlsSocket.getPeerCertificate();
      tlsSocket.end();
      console.log(certificate.fingerprint)
      const fingerprint = certificate.fingerprint.replace(/:/g, "").toUpperCase();
      resolve(fingerprint);
    });
    tlsSocket.on("error", (error) => {
      reject(error);
    });
  });
});

// Get thumbprint of the OIDC issuer identity using certificate authority data.
// const oidcProviderThumbprint = cluster.eksCluster.certificateAuthority.apply(ca => {
//   const data = ca.data;
//   const ascii = Buffer.from(data, "base64").toString("ascii");
//   const thumbprint = crypto.createHash("sha1").update(ascii).digest("hex");
//   return thumbprint.toUpperCase();
// });


// Create an IAM OIDC provider.
const oidcProvider = new aws.iam.OpenIdConnectProvider(`${projectName}-oidc-provider`, {
  clientIdLists: ["<http://sts.amazonaws.com|sts.amazonaws.com>"],
  url: oidcProviderURL.apply(url => `https://${url}`),
  thumbprintLists: [oidcProviderThumbprint],
});

billowy-army-68599

09/14/2023, 2:21 PM

try doing using this instead: https://www.pulumi.com/registry/packages/tls/api-docs/getcertificate/

billowy-army-68599

09/14/2023, 2:21 PM

does the EKS package not work for you?

gorgeous-lunch-7514

09/14/2023, 2:23 PM

It does in most cases the following code had produced a fingerprint that was seen as invalid:

Copy code

const oidcProviderThumbprint = cluster.eksCluster.certificateAuthority.apply(ca => {
  const data = ca.data;
  const ascii = Buffer.from(data, "base64").toString("ascii");
  const thumbprint = crypto.createHash("sha1").update(ascii).digest("hex");
  return thumbprint;
});

gorgeous-lunch-7514

09/14/2023, 2:23 PM

So I was thinking perhaps I need to use the config to get the cert isntead

gorgeous-lunch-7514

09/14/2023, 2:23 PM

and maybe the cert was wrong

gorgeous-lunch-7514

09/14/2023, 2:24 PM

tbh i should’ve compared the certs instead of going down this other rabbit hole

billowy-army-68599

09/14/2023, 2:25 PM

yeah

getCertificate

from the TLS package is likely easier

billowy-army-68599

09/14/2023, 2:25 PM

fwiw, I built an EKS package that includes lots of best practices: https://www.pulumi.com/registry/packages/lbrlabs-eks/

gorgeous-lunch-7514

09/14/2023, 2:26 PM

If only I saw this months ago haha, cheers for the assist. I’ll have a stab now

gorgeous-lunch-7514

09/15/2023, 12:24 PM

Much appreciated, the following is working perfectly

Copy code

// Create an IAM OIDC provider.
const oidcProvider = new aws.iam.OpenIdConnectProvider(`${projectName}-oidc-provider`, {
  clientIdLists: ["<http://sts.amazonaws.com|sts.amazonaws.com>"],
  url: oidcProviderURL.apply(url => `https://${url}`),
  thumbprintLists: oidcProviderURL.apply(url => {
    // Get certificate of the OIDC issuer identity using certificate of the OIDC hostname using TLS
    const certificate = tls.getCertificate({
      url: `https://${url}`,
    });
    return certificate.then(certificate => {
      return [certificate.certificates[0].sha1Fingerprint];
    });
  }),
});

Open in Slack

Previous Next