refreshes thumbprints of OpenID connect providers
Project description
AWS Open ID Connect provider thumbprint refresher
Usage: aws-oidc-provider-refresher [OPTIONS]
updates the thumbprint list of Open ID connect providers.
By default, all OIDC provider thumbprints are updated. To only update OIDC
providers which are tagged with auto-refresh=true, type:
aws-oidc-provider-refresher --filter auto-refresh=true --force
Options:
--filter TAG to select providers by in the format
Name=Value.
--max-thumbprints INTEGER RANGE
to keep in the thumbprint list [1<=x<=5]
--dry-run / --force show what should happen or update the OIDC
providers
--verbose show some more detailed output
--help Show this message and exit.
Description
The AWS Open ID Connect provider is an awesome way to grant third party identities access to your AWS account. It is very easy to configure: you only need the domain name and the fingerprint of the certificate of the host serving the JSON Web Keys.
To obtain this fingerprint Amazon wrote three pages of documentation, but it is by no means a once-in-a-lifetime event. In a previous post, we described how to set the fingerprint in a CloudFormation template. However, the Open ID connect identity providers regularly renew their certificate. This means you have to refresh the fingerprint as well.
This utility allows you to dynamically update the fingerprints of the OIDC providers. You can do this manually or automatically when you deploy it as an AWS lambda.
install
to install the utility, type:
pip install aws-oidc-provider-refresher
update the fingerprints
To update the fingerprints, type:
$ aws-oidc-provider-refresher --verbose
INFO: Found credentials in shared credentials file: ~/.aws/credentials
INFO: selecting all OIDC providers
INFO: new fingerprint 962828776ba4dc09a2a0a2b72ff9cd0bd8c33aee found of gitlab.com, subject CN=gitlab.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US issued by CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
INFO: Would update 1 out of 1 OpenID connect providers, but no changes were made
As you can see the utility did not make any changes yet. To update, add --force:
$ aws-oidc-provider-refresher --verbose --force
INFO: Found credentials in shared credentials file: ~/.aws/credentials
INFO: selecting all OIDC providers
INFO: new fingerprint 962828776ba4dc09a2a0a2b72ff9cd0bd8c33aee found of gitlab.com, subject CN=gitlab.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US issued by CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
INFO: found 1 OpenID connect providers, 1 of which were updated.
It is as easy as that! But, the ensure that the thumbprint list is kept up-to-date we recommend to deploy the refresher as a lambda:
deploy as Lambda
To deploy the refresher as an AWS Lambda, type:
git clone https://github.com/binxio/aws-oidc-provider-refresher.git
cd aws-oidc-provider-refresher
aws cloudformation deploy \
--capabilities CAPABILITY_IAM \
--stack-name aws-oidc-provider-refresher \
--template-file ./cloudformation/aws-oidc-provider-refresher.yaml
This will install the OIDC provider refresher in your AWS account and run every hour. To invoke it manually type:
$ aws lambda invoke --function-name aws-oidc-provider-refresher \
--query LogResult --output text \
--payload $(base64 <<< '{"verbose": true, "dry_run": false}') \
--log-type Tail /dev/fd/1 | \
base64 -d
START RequestId: b7f362bf-659a-4890-9b19-790a9979439f Version: $LATEST
[INFO] 2022-09-17T07:49:01.058Z b7f362bf-659a-4890-9b19-790a9979439f Found credentials in environment variables.
[INFO] 2022-09-17T07:49:02.318Z b7f362bf-659a-4890-9b19-790a9979439f selecting all OIDC providers
[INFO] 2022-09-17T07:49:04.816Z b7f362bf-659a-4890-9b19-790a9979439f gitlab.com now has 2 thumbprints
[INFO] 2022-09-17T07:49:04.816Z b7f362bf-659a-4890-9b19-790a9979439f new fingerprint 962828776ba4dc09a2a0a2b72ff9cd0bd8c33aee found of gitlab.com, subject CN=gitlab.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US issued by CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
[INFO] 2022-09-17T07:49:04.936Z b7f362bf-659a-4890-9b19-790a9979439f found 1 OpenID connect providers, 1 of which were updated.
END RequestId: b7f362bf-659a-4890-9b19-790a9979439f
REPORT RequestId: b7f362bf-659a-4890-9b19-790a9979439f Duration: 4089.85 ms Billed Duration: 4090 ms Memory Size: 128 MB Max Memory Used: 90 MB Init Duration: 453.23 ms
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file aws-oidc-provider-refresher-0.2.0.tar.gz.
File metadata
- Download URL: aws-oidc-provider-refresher-0.2.0.tar.gz
- Upload date:
- Size: 13.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.9.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 83f175d76e0a6a69d4da254d12040e9eb314e0d0a5014f1edeca64005c583aff |
|
| MD5 | bed58e66bf8a8ae8958dfb7b02d7a5d5 |
|
| BLAKE2b-256 | 5525a7f3806f3b0300fb4f88011c09e46a83b6a3b4021cda381250463ba339c6 |
