https://pulumi.com logo
#general
Title
# general
b

busy-helicopter-97413

11/24/2021, 5:31 PM
I am trying to create a new OIDC provider for my EKS cluster. For it to work, I need the thumbprint. However, it seems like for EKS, the process for getting the thumbprint outside of EKS is potentially a lot of work to automate? https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html is there something i'm missing here?
w

worried-city-86458

11/24/2021, 5:34 PM
This is how I do it using dotnet/c#:
Copy code
// cluster
Logger.LogDebug("Creating eks cluster");
var cluster = new Cluster($"{awsEksPrefix}-cluster",
    new ClusterArgs
    {
        EnabledClusterLogTypes = AwsConfig.Eks.LogTypes,
        RoleArn = clusterRole.Arn,
        Version = K8sConfig.Version,
        VpcConfig = new ClusterVpcConfigArgs
        {
            EndpointPrivateAccess = true,
            SubnetIds = Output.All(publicSubnetIds, privateSubnetIds).Flatten()
        }
    },
    new CustomResourceOptions { Protect = true, Provider = awsProvider });

ClusterName = cluster.Name;
KubeConfig = deployerRoleArn.Apply(roleArn => cluster.GetKubeConfig(EnvName, roleArn));
var clusterSgId = cluster.VpcConfig.Apply(config => config.ClusterSecurityGroupId!);

// root ca thumbprint; <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html>
var issuer = cluster.Identities.Apply(identities => identities[0].Oidcs[0].Issuer!);
var certificates = issuer.Apply(url => GetCertificate.InvokeAsync(new GetCertificateArgs { Url = url, VerifyChain = true }));
var rootCAThumbprint = certificates.Apply(chain => chain.Certificates[0].Sha1Fingerprint);

// oidc provider
Logger.LogDebug("Creating oidc provider");
var oidcProvider = new OpenIdConnectProvider($"{awsEksPrefix}-oidc",
    new OpenIdConnectProviderArgs
    {
        ClientIdLists = { "<http://sts.amazonaws.com|sts.amazonaws.com>" },
        Url = issuer,
        ThumbprintLists = { rootCAThumbprint }
    },
    new CustomResourceOptions { Provider = awsProvider });

OidcArn = oidcProvider.Arn;
OidcUrl = oidcProvider.Url;
b

busy-helicopter-97413

11/24/2021, 6:24 PM
where are you getting the sha1fingerprint of a certificate? i'm not quite sure i follow- seems like it's not an attribute of a certificate at least from these docs https://www.pulumi.com/registry/packages/aws/api-docs/acm/certificate/
8 Views