‼️ (iam): OpenIdConnectProvider defaults to first thumbprint instead of root CA thumbprint

Please add your +1 👍 to let us know you have encountered this

Status: IN-PROGRESS

Overview:

The iam.OpenIdConnectProvider resource contains logic that dynamically fetches the certificate thumbprint required to create an OpenID Connect provider. However, as of now, it mistakenly fetches the leaf certificate of the provider, instead of the root one.

As long as the leaf certificate is valid, this doesn’t have an impact your applications. However, once the certificate is rotated, your application will fail to use the provider to authenticate against AWS services. Since leaf certificates are rotated frequently, you are in danger of disruption. This will probably manifest in Access Denied errors.

Workaround:

If you are using the iam.OpenIdConnectProvider construct in conjunction with an EKS cluster:

import * as iam from `aws-cdk-lib/aws-iam`;
import * as eks from `aws-cdk-lib/aws-eks`;

const cluster = new eks.Cluster(this, "EKSCluster", {
  version: eks.KubernetesVersion.V1_21,
});

new iam.OpenIdConnectProvider(this, "OIDCProvider", {
  url: cluster.clusterOpenIdConnectIssuerUrl,
});

Switch to use the OpenIdConnectProvider construct from the EKS library:

import * as eks from `aws-cdk-lib/aws-eks`;

const cluster = new eks.Cluster(this, "EKSCluster", {
  version: eks.KubernetesVersion.V1_21,
});

new eks.OpenIdConnectProvider(this, "OIDCProvider", {
  url: cluster.clusterOpenIdConnectIssuerUrl,
});

The reason this works is because the eks.OpenIdConnectProvider hardcodes the correct thumbprint for EKS.

If you are using the iam.OpenIdConnectProvider in conjunction with other services, make sure you pass the thumbprint explicitly to the construct, instead of relying on its dynamic fetching capabilities.

import * as iam from `aws-cdk-lib/aws-iam`;

new iam.OpenIdConnectProvider(this, "OIDCProvider", {
  url: cluster.clusterOpenIdConnectIssuerUrl,
    clientIds: ["sts.amazonaws.com"],
    thumbprints: ['<pass-thumbprint-here>'],
});

To obtain the correct thumbprint for your provider, follow these instructions.

Solution:

We are working on a fix to the iam.OpenIdConnectProvider construct so that if correctly fetches the root certificate thumbprint. See PR. Once it is merged, the fix will be available in the following CDK release, at which point a simple deployment will fix the issue in your environment.

Originally reported as

When deploying an OpenIdConnectProvider construct using the oidc issuer url retrieved from an EKS cluster (the domain is oidc.eks.us-west-2.amazonaws.com) and no value for the thumbprints property, the resulting auto-obtained thumbprint doesn’t match the one I get from following the steps provided here.

Reproduction Steps

const cluster = new eks.Cluster(this, "EKSCluster");

new iam.OpenIdConnectProvider(this, "EKSOIDCProvider", {
    url: cluster.clusterOpenIdConnectIssuerUrl,
    clientIds: ["sts.amazonaws.com"]
});

Error Log

See Other for a related error.

Environment

• CLI Version : 1.45.0
• Framework Version:
• Node.js Version: 14.4.0
• OS : Windows 10 (10.0.18363 Build 18363)
• Language (Version): TypeScript (3.7.2)

Other

If I try to deploy a cluster autoscaler to my EKS cluster using a service account role tied to that provider, the pod enters a CrashLoopBackOff state with the error message:

F0617 20:04:12.561996 1 aws_cloud_provider.go:376] Failed to create AWS Manager: WebIdentityErr: failed to retrieve credentials caused by: InvalidIdentityToken: OpenIDConnect provider’s HTTPS certificate doesn’t match configured thumbprint status code: 400, request id: 00ec5e59-3672-4264-b5d4-c44f573ff50c

If I instead follow the guide to retrieve the correct thumbprint via openssl and provide that to the OpenIdConnectProvider construct, the cluster autoscaler successfully deploys.

This is 🐛 Bug Report