Comments (7)
Fix in the spirit of #18 - removing the entire ThumbprintList
list in favour of automatic updates.
const provider = new GithubActionsIdentityProvider(this, 'GitHubProvider')
/**
* Removes hard-coded `ThumbprintList` list, because this list is volatile, and the
* parent construct is not being updated.
*
* @see https://github.com/aripalo/aws-cdk-github-oidc/issues/24
* @see https://github.com/aripalo/aws-cdk-github-oidc/pull/18
*/
Aspects.of(provider).add({
visit(node) {
if (node instanceof CfnResource && node.node.id === 'Default') {
node.addPropertyDeletionOverride('ThumbprintList')
}
},
})
from aws-cdk-github-oidc.
Good news!
Automatic notice from AWS:
Hello,
We are sending this notification because you have configured a GitHub OpenID Connect (OIDC) identity provider (IdP) in your AWS account. GitHub uses a cross-signed TLS server certificate for GitHub’s OIDC servers which can have two intermediate certificates. Each of these intermediate certificates has a unique thumbprint. If you configured the GitHub IdP in your account using only one thumbprint, you may have encountered “Error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint” when attempting to access AWS resources using GitHub as the identity provider. This would occur when the certificate thumbprint configured in AWS does not match the one presented by the GitHub server.
No action is required from you.
Starting July 6, 2023, AWS began securing communication with GitHub’s OIDC identity provider (IdP) using our library of trusted root Certificate Authorities instead of using a certificate thumbprint to verify the IdP’s server certificate. This approach ensures that your GitHub OIDC configuration behaves correctly without disruption during future certificate rotations and changes. With this new validation approach in place, your legacy thumbprint(s) will remain in your configuration but will no longer be needed for validation purposes.
from aws-cdk-github-oidc.
The CDK Construct OpenIdConnectProvider downloads the thumbprint based on the issuer URL, if the thumbprint is not supplied to it as a prop.
I wonder whether it would be better to omit any specific thumbprint from this Construct’s source, and let the OpenIdConnectProvider figure out the right thumbprint based on the issuer URL.
Then we would not have to periodically update the thumbprint in this Construct.
from aws-cdk-github-oidc.
For anyone using Python you can override these values in the CFN output like this:
# create the github identity provider
self.github_identity_provider = GithubActionsIdentityProvider(
scope=scope, id=f"{stage}-github-provider"
)
# get the cloudformation custom resource
cfn_github_identity_provider: CustomResource = (
self.github_identity_provider.node.default_child
)
# for each child of the cfn resource add the thumbprint list override
for child in cfn_github_identity_provider.node.children:
if isinstance(child, CfnResource):
child.add_override(
"Properties.ThumbprintList",
[
"1c58a3a8518e8759bf075b76b750d4f2df264fcd",
"6938fd4d98bab03faadb97b34396831e3780aea1",
],
)
from aws-cdk-github-oidc.
There was a past PR that would've addressed this: #18
from aws-cdk-github-oidc.
Automatic updates in Python, based on @moltar's and @bryan-queryai's snippets:
provider = GithubActionsIdentityProvider(self, "provider")
for child in provider.node.default_child.node.children:
if isinstance(child, CfnResource):
child.add_property_deletion_override("ThumbprintList")
from aws-cdk-github-oidc.
First of all, apologies for not handling this issue as it came out. I've been on summer vacation since June 22nd, and though I have not been completely offline / off-the-grid, I haven't really worked with any code, used GitHub, or read any code/work related emails, etc – hence I missed this issue.
Secondly, thanks for reporting the issue and for the workarounds posted to this issue (I've heard from multiple people that those have helped during the time this issue persisted.
Third, luckily AWS handled this whole ordeal in their end 🎉 That being said, I think I should just remove the existing thumbprint definitions from this construct. Originally I knew that they are optional and IAM "can figure them out", but I saw them as an extra layer of security – on hindsight – they should've been optional even with this construct and leave the addition (and updates) of those for the end-user. But as said above (and as I've also now seen in my AWS accounts), AWS is now handling the verification using trusted root CA.
from aws-cdk-github-oidc.
Related Issues (15)
- CDK v2 support HOT 2
- Github Thumbprints can be ommited HOT 3
- is there an example of how to use it? to deploy to my aws? HOT 3
- Reporting a vulnerability HOT 4
- Constructs are not taggable HOT 2
- Patch vulnerable dependencies
- Deprecate support for CDK v1
- Deprecate NodeJS v14 LTS and upgrade to v16 LTS
- Fix Go deployment HOT 1
- Remove hardcoded (and now obsolete) GitHub thumbprints
- Fix the NodeJS version in projenrc/nvmrc
- Feature: allow setting an array of filters (subjects) HOT 1
- Use jsii-struct-builder to produce iam-role-props.ts
- Feature: support partitions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-cdk-github-oidc.