How to keep your OpenID connect identity provider thumbprint list up-to-date

on
Sep 20, 2022
in

The AWS Open ID Connect provider is an awesome way to grant third party identities access
to your AWS account. And it is very easy to configure. You only need the domain name and
the fingerprint of the certificate of the host serving the JSON Web Keys.

But obtaining the fingerprint is hard, requiring three written pages of instructions.
Whenever the certificates renews, you have to do it all over again.
To solve this problem, the aws-oidc-provider-refresher
utility allows you to automatically keep the thumbprint list up-to-date.

update the fingerprints

To update the fingerprints, type:

$ aws-oidc-provider-refresher --verbose
INFO: Found credentials in shared credentials file: ~/.aws/credentials
INFO: selecting all OIDC providers
INFO: new fingerprint 962828776ba4dc09a2a0a2b72ff9cd0bd8c33aee found of gitlab.com, subject CN=gitlab.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US issued by CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
INFO: Would update 1 out of 1 OpenID connect providers, but no changes were made

As you can see the utility did not make any changes yet. To update, add --force:

$ aws-oidc-provider-refresher --verbose --force
INFO: Found credentials in shared credentials file: ~/.aws/credentials
INFO: selecting all OIDC providers
INFO: new fingerprint 962828776ba4dc09a2a0a2b72ff9cd0bd8c33aee found of gitlab.com, subject CN=gitlab.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US issued by CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
INFO: found 1 OpenID connect providers, 1 of which were updated.

It is as easy as that! To ensure that the thumbprint list is kept up-to-date we recommend
to deploy the refresher as an AWS Lambda:

install as Lambda

To install the refresher as an AWS Lambda, type:

git clone https://github.com/binxio/aws-oidc-provider-refresher.git
cd aws-oidc-provider-refresher
aws cloudformation deploy \
    --capabilities CAPABILITY_IAM \
    --stack-name aws-oidc-provider-refresher \
    --template-file ./cloudformation/aws-oidc-provider-refresher.yaml

This will install the OIDC provider refresher in your AWS account and run every hour. To invoke
it manually type:

$ aws lambda invoke --function-name aws-oidc-provider-refresher \
 --query LogResult --output text \
 --payload $(base64 <<< '{"verbose": true, "dry_run": false}') \
 --log-type Tail /dev/fd/1 | \
 base64 -d

 START RequestId: b7f362bf-659a-4890-9b19-790a9979439f Version: $LATEST
[INFO]  2022-09-17T07:49:01.058Z        b7f362bf-659a-4890-9b19-790a9979439f    Found credentials in environment variables.
[INFO]  2022-09-17T07:49:02.318Z        b7f362bf-659a-4890-9b19-790a9979439f    selecting all OIDC providers
[INFO]  2022-09-17T07:49:04.816Z        b7f362bf-659a-4890-9b19-790a9979439f    gitlab.com now has 2 thumbprints
[INFO]  2022-09-17T07:49:04.816Z        b7f362bf-659a-4890-9b19-790a9979439f    new fingerprint 962828776ba4dc09a2a0a2b72ff9cd0bd8c33aee found of gitlab.com, subject CN=gitlab.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US issued by CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
[INFO]  2022-09-17T07:49:04.936Z        b7f362bf-659a-4890-9b19-790a9979439f    found 1 OpenID connect providers, 1 of which were updated.

END RequestId: b7f362bf-659a-4890-9b19-790a9979439f
REPORT RequestId: b7f362bf-659a-4890-9b19-790a9979439f  Duration: 4089.85 ms    Billed Duration: 4090 ms        Memory Size: 128 MB     Max Memory Used: 90 MB    Init Duration: 453.23 ms        

install as CLI

to install the utility on the command line, type:

pip install aws-oidc-provider-refresher

conclusion

With the OIDC provider refresher utility as an AWS lambda in your account, you keep the thumbprint list of your OpenID connect identity providers in your account up-to-date.

Checkout our previous post, which describes how to set the fingerprint in a CloudFormation template.

Photo by Luis Quintero on Unsplash

Mark van Holsteijn is a senior software systems architect, and CTO of binx.io. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Share this article: Tweet this post / Post on LinkedIn