Channels
#aws
Title
g
gorgeous-lunch-7514
09/14/2023, 2:17 PMalso trying
Copy code
// OpenID config
const oidcConfig = oidcProviderURL.apply(url => {
return axios.get(`https://${url}/.well-known/openid-configuration`).then(response => response.data);
});
// Get thumbprint of the OIDC issuer identity using certificate authority data.
const oidcProviderThumbprint = oidcConfig.apply(config => {
const parsedJwksUri = new URL(config.jwks_uri);
// Use TLS to get hostname's SSL certificate.
const tlsSocket = tls.connect(443, parsedJwksUri.hostname, { servername: parsedJwksUri.hostname });
return new Promise((resolve, reject) => {
tlsSocket.on("secureConnect", () => {
const certificate = tlsSocket.getPeerCertificate();
tlsSocket.end();
console.log(certificate.fingerprint)
const fingerprint = certificate.fingerprint.replace(/:/g, "").toUpperCase();
resolve(fingerprint);
});
tlsSocket.on("error", (error) => {
reject(error);
});
});
});b
billowy-army-68599
09/14/2023, 2:18 PM
what’s going on here? why are you trying to build your own OIDC cert?
it’s a hard coded thumbprint
g
gorgeous-lunch-7514
09/14/2023, 2:19 PMApologies if what I’m trying to do is clear, I’m create to create add the eks OIDC provider to IAM, I’m trying to generate a thumbprint
b
billowy-army-68599
09/14/2023, 2:20 PM
can you share your full code?
g
gorgeous-lunch-7514
09/14/2023, 2:20 PMfor sure
Copy code
// Get OIDC issuer identity.
const oidcProviderURL = cluster.eksCluster.identities.apply(identities => {
return identities[0].oidcs[0].issuer.replace(/(^\w+:|^)\/\//, "").replace(/\/$/, "");
});
// Get AWS Account ID.
const awsAccountID = aws.getCallerIdentity().then(identity => identity.accountId);
// OpenID config
const oidcConfig = oidcProviderURL.apply(url => {
return axios.get(`https://${url}/.well-known/openid-configuration`).then(response => response.data);
});
// Get thumbprint of the OIDC issuer identity using certificate authority data.
const oidcProviderThumbprint = oidcConfig.apply(config => {
const parsedJwksUri = new URL(config.jwks_uri);
// Use TLS to get hostname's SSL certificate.
const tlsSocket = tls.connect(443, parsedJwksUri.hostname, { servername: parsedJwksUri.hostname });
return new Promise((resolve, reject) => {
tlsSocket.on("secureConnect", () => {
const certificate = tlsSocket.getPeerCertificate();
tlsSocket.end();
console.log(certificate.fingerprint)
const fingerprint = certificate.fingerprint.replace(/:/g, "").toUpperCase();
resolve(fingerprint);
});
tlsSocket.on("error", (error) => {
reject(error);
});
});
});
// Get thumbprint of the OIDC issuer identity using certificate authority data.
// const oidcProviderThumbprint = cluster.eksCluster.certificateAuthority.apply(ca => {
// const data = ca.data;
// const ascii = Buffer.from(data, "base64").toString("ascii");
// const thumbprint = crypto.createHash("sha1").update(ascii).digest("hex");
// return thumbprint.toUpperCase();
// });
// Create an IAM OIDC provider.
const oidcProvider = new aws.iam.OpenIdConnectProvider(`${projectName}-oidc-provider`, {
clientIdLists: ["<http://sts.amazonaws.com|sts.amazonaws.com>"],
url: oidcProviderURL.apply(url => `https://${url}`),
thumbprintLists: [oidcProviderThumbprint],
});b
billowy-army-68599
09/14/2023, 2:21 PM
try doing using this instead:
https://www.pulumi.com/registry/packages/tls/api-docs/getcertificate/
does the EKS package not work for you?
g
gorgeous-lunch-7514
09/14/2023, 2:23 PMIt does in most cases the following code had produced a fingerprint that was seen as invalid:
Copy code
const oidcProviderThumbprint = cluster.eksCluster.certificateAuthority.apply(ca => {
const data = ca.data;
const ascii = Buffer.from(data, "base64").toString("ascii");
const thumbprint = crypto.createHash("sha1").update(ascii).digest("hex");
return thumbprint;
});So I was thinking perhaps I need to use the config to get the cert isntead
and maybe the cert was wrong
tbh i should’ve compared the certs instead of going down this other rabbit hole
b
billowy-army-68599
09/14/2023, 2:25 PM
yeah
getCertificatefwiw, I built an EKS package that includes lots of best practices: https://www.pulumi.com/registry/packages/lbrlabs-eks/
g
gorgeous-lunch-7514
09/14/2023, 2:26 PMIf only I saw this months ago haha, cheers for the assist. I’ll have a stab now
Much appreciated, the following is working perfectly
Copy code
// Create an IAM OIDC provider.
const oidcProvider = new aws.iam.OpenIdConnectProvider(`${projectName}-oidc-provider`, {
clientIdLists: ["<http://sts.amazonaws.com|sts.amazonaws.com>"],
url: oidcProviderURL.apply(url => `https://${url}`),
thumbprintLists: oidcProviderURL.apply(url => {
// Get certificate of the OIDC issuer identity using certificate of the OIDC hostname using TLS
const certificate = tls.getCertificate({
url: `https://${url}`,
});
return certificate.then(certificate => {
return [certificate.certificates[0].sha1Fingerprint];
});
}),
});