How do I configure an AWS IAM OpenID Connect Provider?
In this guide, we will configure an AWS IAM OpenID Connect (OIDC) Provider using Pulumi in TypeScript. An OIDC provider enables AWS to trust tokens issued by an external identity provider (IdP). This is commonly used for federated authentication with Kubernetes or other systems.
Below is the complete Pulumi program to create an AWS IAM OIDC Provider. It includes the necessary configurations such as the URL of the IdP, client IDs, and thumbprints.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Define the URL of the OpenID Connect Provider
const oidcProviderUrl = "https://example.com"; // Replace with your IdP URL
// Define the list of client IDs (audiences) that can access the provider
const clientIdList = ["sts.amazonaws.com"];
// Define the thumbprint list for the IdP's server certificate
const thumbprintList = ["9e99a48a9960b14926bb7f3b4b5d8a9a2e2f5d42"]; // Replace with your IdP thumbprint
// Create the OpenID Connect Provider
const oidcProvider = new aws.iam.OpenIdConnectProvider("myOidcProvider", {
url: oidcProviderUrl,
clientIdLists: clientIdList,
thumbprintLists: thumbprintList,
});
// Export the ARN of the OIDC Provider
export const oidcProviderArn = oidcProvider.arn;
Key Points
- OIDC Provider URL: The URL of your identity provider.
- Client ID List: A list of client IDs (audiences) that can access the provider. Typically includes
sts.amazonaws.com
for AWS STS. - Thumbprint List: A list of thumbprints for the IdP’s server certificate. This ensures the security of the connection.
Summary
In this guide, we configured an AWS IAM OpenID Connect Provider using Pulumi in TypeScript. We specified the IdP URL, client IDs, and thumbprints required for setting up the provider. This setup is essential for enabling federated authentication with external identity providers.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.