1. Answers
  2. Creating an AWS IAM OpenID Connect Provider

How do I create an AWS IAM OpenID Connect Provider?

In this guide, we’ll walk you through the steps to create an AWS IAM OpenID Connect (OIDC) provider. This is useful when you want to enable your AWS services to trust a third-party identity provider. Such a setup can be beneficial when working with Kubernetes clusters, federated identities, or other OIDC-compliant services.

We will:

  1. Create an IAM OIDC provider with the necessary parameters.
  2. Define relevant outputs.

Here’s the complete example:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create the IAM OIDC Provider
const example = new aws.iam.OpenIdConnectProvider("example", {
    url: "https://example.com",
    clientIdLists: ["sts.amazonaws.com"],
    thumbprintLists: ["9e99a48a9960a5df37a2de2a4342b3ea402f0617"],
});
export const oidcProviderArn = example.arn;

Key Points:

  • OpenID Connect (OIDC) Provider URL: The URL using which AWS can verify the identity token.
  • Client ID List: Identifiers for the application, often including sts.amazonaws.com.
  • Thumbprint List: Certificates required to verify the identity server’s SSL/TLS certificate.

Summary:

We created an IAM OpenID Connect Provider, specifying the OIDC URL, client ID list, and thumbprint list. The ARN of the OIDC provider is output for reference. This setup allows AWS to interact securely with the OIDC identity provider.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up