Ready to level-up your engineering skills? Join a Pulumi Workshop. Register Now

getCertificate

Use this data source to get information, such as SHA1 fingerprint or serial number, about the TLS certificates that protect an HTTPS website. Note that the certificate chain isn’t verified.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;
using Tls = Pulumi.Tls;

class MyStack : Stack
{
    public MyStack()
    {
        var exampleCluster = new Aws.Eks.Cluster("exampleCluster", new Aws.Eks.ClusterArgs
        {
        });
        var exampleCertificate = exampleCluster.Identities.Apply(identities => Tls.GetCertificate.InvokeAsync(new Tls.GetCertificateArgs
        {
            Url = identities[0].Oidcs?[0]?.Issuer,
        }));
        var exampleOpenIdConnectProvider = new Aws.Iam.OpenIdConnectProvider("exampleOpenIdConnectProvider", new Aws.Iam.OpenIdConnectProviderArgs
        {
            ClientIdLists = 
            {
                "sts.amazonaws.com",
            },
            ThumbprintLists = 
            {
                exampleCertificate.Apply(exampleCertificate => exampleCertificate.Certificates[0].Sha1Fingerprint),
            },
            Url = exampleCluster.Identities.Apply(identities => identities[0].Oidcs?[0]?.Issuer),
        });
    }

}
package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v3/go/aws/eks"
    "github.com/pulumi/pulumi-aws/sdk/v3/go/aws/iam"
    "github.com/pulumi/pulumi-tls/sdk/v3/go/tls"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        exampleCluster, err := eks.NewCluster(ctx, "exampleCluster", nil)
        if err != nil {
            return err
        }
        _, err = iam.NewOpenIdConnectProvider(ctx, "exampleOpenIdConnectProvider", &iam.OpenIdConnectProviderArgs{
            ClientIdLists: pulumi.StringArray{
                pulumi.String("sts.amazonaws.com"),
            },
            ThumbprintLists: pulumi.StringArray{
                exampleCertificate.ApplyT(func(exampleCertificate tls.GetCertificateResult) (string, error) {
                    return exampleCertificate.Certificates[0].Sha1Fingerprint, nil
                }).(pulumi.StringOutput),
            },
            Url: pulumi.String(exampleCluster.Identities.ApplyT(func(identities []eks.ClusterIdentity) (string, error) {
                return identities[0].Oidcs[0].Issuer, nil
            }).(pulumi.StringOutput)),
        })
        if err != nil {
            return err
        }
        return nil
    })
}
import pulumi
import pulumi_aws as aws
import pulumi_tls as tls

example_cluster = aws.eks.Cluster("exampleCluster")
example_certificate = example_cluster.identities.apply(lambda identities: tls.get_certificate(url=identities[0].oidcs[0].issuer))
example_open_id_connect_provider = aws.iam.OpenIdConnectProvider("exampleOpenIdConnectProvider",
    client_id_lists=["sts.amazonaws.com"],
    thumbprint_lists=[example_certificate.certificates[0].sha1_fingerprint],
    url=example_cluster.identities[0].oidcs[0].issuer)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as tls from "@pulumi/tls";

const exampleCluster = new aws.eks.Cluster("example", {});
const exampleCertificate = exampleCluster.identities.apply(identities => tls.getCertificate({
    url: identities[0].oidcs[0].issuer,
}, { async: true }));
const exampleOpenIdConnectProvider = new aws.iam.OpenIdConnectProvider("example", {
    clientIdLists: ["sts.amazonaws.com"],
    thumbprintLists: [exampleCertificate.certificates[0].sha1Fingerprint],
    url: exampleCluster.identities[0].oidcs[0].issuer,
});

Using getCertificate

function getCertificate(args: GetCertificateArgs, opts?: InvokeOptions): Promise<GetCertificateResult>
def get_certificate(url: Optional[str] = None, verify_chain: Optional[bool] = None, opts: Optional[InvokeOptions] = None) -> GetCertificateResult
func GetCertificate(ctx *Context, args *GetCertificateArgs, opts ...InvokeOption) (*GetCertificateResult, error)

Note: This function is named GetCertificate in the Go SDK.

public static class GetCertificate {
    public static Task<GetCertificateResult> InvokeAsync(GetCertificateArgs args, InvokeOptions? opts = null)
}

The following arguments are supported:

Url string

The URL of the website to get the certificates from.

VerifyChain bool

Whether to verify the certificate chain while parsing it or not

Url string

The URL of the website to get the certificates from.

VerifyChain bool

Whether to verify the certificate chain while parsing it or not

url string

The URL of the website to get the certificates from.

verifyChain boolean

Whether to verify the certificate chain while parsing it or not

url str

The URL of the website to get the certificates from.

verify_chain bool

Whether to verify the certificate chain while parsing it or not

getCertificate Result

The following output properties are available:

Certificates List<GetCertificateCertificate>

The certificates protecting the site, with the root of the chain first. * certificates.#.not_after - The time until which the certificate is invalid, as an RFC3339 timestamp. * certificates.#.not_before - The time after which the certificate is valid, as an RFC3339 timestamp. * certificates.#.is_ca - true if this certificate is a ca certificate. * certificates.#.issuer - Who verified and signed the certificate, roughly following RFC2253. * certificates.#.public_key_algorithm - The algorithm used to create the certificate. * certificates.#.serial_number - Number that uniquely identifies the certificate with the CA’s system. The format function can be used to convert this base 10 number into other bases, such as hex. * certificates.#.sha1_fingerprint - The SHA1 fingerprint of the public key of the certificate. * certificates.#.signature_algorithm - The algorithm used to sign the certificate. * certificates.#.subject - The entity the certificate belongs to, roughly following RFC2253. * certificates.#.version - The version the certificate is in.

Id string

The provider-assigned unique ID for this managed resource.

Url string
VerifyChain bool
Certificates []GetCertificateCertificate

The certificates protecting the site, with the root of the chain first. * certificates.#.not_after - The time until which the certificate is invalid, as an RFC3339 timestamp. * certificates.#.not_before - The time after which the certificate is valid, as an RFC3339 timestamp. * certificates.#.is_ca - true if this certificate is a ca certificate. * certificates.#.issuer - Who verified and signed the certificate, roughly following RFC2253. * certificates.#.public_key_algorithm - The algorithm used to create the certificate. * certificates.#.serial_number - Number that uniquely identifies the certificate with the CA’s system. The format function can be used to convert this base 10 number into other bases, such as hex. * certificates.#.sha1_fingerprint - The SHA1 fingerprint of the public key of the certificate. * certificates.#.signature_algorithm - The algorithm used to sign the certificate. * certificates.#.subject - The entity the certificate belongs to, roughly following RFC2253. * certificates.#.version - The version the certificate is in.

Id string

The provider-assigned unique ID for this managed resource.

Url string
VerifyChain bool
certificates GetCertificateCertificate[]

The certificates protecting the site, with the root of the chain first. * certificates.#.not_after - The time until which the certificate is invalid, as an RFC3339 timestamp. * certificates.#.not_before - The time after which the certificate is valid, as an RFC3339 timestamp. * certificates.#.is_ca - true if this certificate is a ca certificate. * certificates.#.issuer - Who verified and signed the certificate, roughly following RFC2253. * certificates.#.public_key_algorithm - The algorithm used to create the certificate. * certificates.#.serial_number - Number that uniquely identifies the certificate with the CA’s system. The format function can be used to convert this base 10 number into other bases, such as hex. * certificates.#.sha1_fingerprint - The SHA1 fingerprint of the public key of the certificate. * certificates.#.signature_algorithm - The algorithm used to sign the certificate. * certificates.#.subject - The entity the certificate belongs to, roughly following RFC2253. * certificates.#.version - The version the certificate is in.

id string

The provider-assigned unique ID for this managed resource.

url string
verifyChain boolean
certificates Sequence[GetCertificateCertificate]

The certificates protecting the site, with the root of the chain first. * certificates.#.not_after - The time until which the certificate is invalid, as an RFC3339 timestamp. * certificates.#.not_before - The time after which the certificate is valid, as an RFC3339 timestamp. * certificates.#.is_ca - true if this certificate is a ca certificate. * certificates.#.issuer - Who verified and signed the certificate, roughly following RFC2253. * certificates.#.public_key_algorithm - The algorithm used to create the certificate. * certificates.#.serial_number - Number that uniquely identifies the certificate with the CA’s system. The format function can be used to convert this base 10 number into other bases, such as hex. * certificates.#.sha1_fingerprint - The SHA1 fingerprint of the public key of the certificate. * certificates.#.signature_algorithm - The algorithm used to sign the certificate. * certificates.#.subject - The entity the certificate belongs to, roughly following RFC2253. * certificates.#.version - The version the certificate is in.

id str

The provider-assigned unique ID for this managed resource.

url str
verify_chain bool

Supporting Types

GetCertificateCertificate

isCa boolean
issuer string
notAfter string
notBefore string
publicKeyAlgorithm string
serialNumber string
sha1Fingerprint string
signatureAlgorithm string
subject string
version number

Package Details

Repository
https://github.com/pulumi/pulumi-tls
License
Apache-2.0
Notes
This Pulumi package is based on the tls Terraform Provider.