No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I am trying to create a new OIDC provider for my EKS cluster. For it to work, I need the thumbprint. However, it seems like for EKS, the process for getting the thumbprint outside of EKS is potentially a lot of work to automate? <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html>

is there something i'm missing here?

This is how I do it using dotnet/c#:
```// cluster
Logger.LogDebug("Creating eks cluster");
var cluster = new Cluster($"{awsEksPrefix}-cluster",
    new ClusterArgs
    {
        EnabledClusterLogTypes = AwsConfig.Eks.LogTypes,
        RoleArn = clusterRole.Arn,
        Version = K8sConfig.Version,
        VpcConfig = new ClusterVpcConfigArgs
        {
            EndpointPrivateAccess = true,
            SubnetIds = Output.All(publicSubnetIds, privateSubnetIds).Flatten()
        }
    },
    new CustomResourceOptions { Protect = true, Provider = awsProvider });

ClusterName = cluster.Name;
KubeConfig = deployerRoleArn.Apply(roleArn =&gt; cluster.GetKubeConfig(EnvName, roleArn));
var clusterSgId = cluster.VpcConfig.Apply(config =&gt; config.ClusterSecurityGroupId!);

// root ca thumbprint; <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html>
var issuer = cluster.Identities.Apply(identities =&gt; identities[0].Oidcs[0].Issuer!);
var certificates = issuer.Apply(url =&gt; GetCertificate.InvokeAsync(new GetCertificateArgs { Url = url, VerifyChain = true }));
var rootCAThumbprint = certificates.Apply(chain =&gt; chain.Certificates[0].Sha1Fingerprint);

// oidc provider
Logger.LogDebug("Creating oidc provider");
var oidcProvider = new OpenIdConnectProvider($"{awsEksPrefix}-oidc",
    new OpenIdConnectProviderArgs
    {
        ClientIdLists = { "<http://sts.amazonaws.com|sts.amazonaws.com>" },
        Url = issuer,
        ThumbprintLists = { rootCAThumbprint }
    },
    new CustomResourceOptions { Provider = awsProvider });

OidcArn = oidcProvider.Arn;
OidcUrl = oidcProvider.Url;```

where are you getting the sha1fingerprint of a certificate? i'm not quite sure i follow- seems like it's not an attribute of a certificate at least from these docs <https://www.pulumi.com/registry/packages/aws/api-docs/acm/certificate/>

<https://www.pulumi.com/registry/packages/tls/api-docs/getcertificate/>