getCertificate
Use this data source to get information, such as SHA1 fingerprint or serial number, about the TLS certificates that protect an HTTPS website. Note that the certificate chain isn’t verified.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
using Tls = Pulumi.Tls;
class MyStack : Stack
{
public MyStack()
{
var exampleCluster = new Aws.Eks.Cluster("exampleCluster", new Aws.Eks.ClusterArgs
{
});
var exampleCertificate = exampleCluster.Identities.Apply(identities => Tls.GetCertificate.InvokeAsync(new Tls.GetCertificateArgs
{
Url = identities[0].Oidcs?[0]?.Issuer,
}));
var exampleOpenIdConnectProvider = new Aws.Iam.OpenIdConnectProvider("exampleOpenIdConnectProvider", new Aws.Iam.OpenIdConnectProviderArgs
{
ClientIdLists =
{
"sts.amazonaws.com",
},
ThumbprintLists =
{
exampleCertificate.Apply(exampleCertificate => exampleCertificate.Certificates[0].Sha1Fingerprint),
},
Url = exampleCluster.Identities.Apply(identities => identities[0].Oidcs?[0]?.Issuer),
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v3/go/aws/eks"
"github.com/pulumi/pulumi-aws/sdk/v3/go/aws/iam"
"github.com/pulumi/pulumi-tls/sdk/v3/go/tls"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleCluster, err := eks.NewCluster(ctx, "exampleCluster", nil)
if err != nil {
return err
}
_, err = iam.NewOpenIdConnectProvider(ctx, "exampleOpenIdConnectProvider", &iam.OpenIdConnectProviderArgs{
ClientIdLists: pulumi.StringArray{
pulumi.String("sts.amazonaws.com"),
},
ThumbprintLists: pulumi.StringArray{
exampleCertificate.ApplyT(func(exampleCertificate tls.GetCertificateResult) (string, error) {
return exampleCertificate.Certificates[0].Sha1Fingerprint, nil
}).(pulumi.StringOutput),
},
Url: pulumi.String(exampleCluster.Identities.ApplyT(func(identities []eks.ClusterIdentity) (string, error) {
return identities[0].Oidcs[0].Issuer, nil
}).(pulumi.StringOutput)),
})
if err != nil {
return err
}
return nil
})
}import pulumi
import pulumi_aws as aws
import pulumi_tls as tls
example_cluster = aws.eks.Cluster("exampleCluster")
example_certificate = example_cluster.identities.apply(lambda identities: tls.get_certificate(url=identities[0].oidcs[0].issuer))
example_open_id_connect_provider = aws.iam.OpenIdConnectProvider("exampleOpenIdConnectProvider",
client_id_lists=["sts.amazonaws.com"],
thumbprint_lists=[example_certificate.certificates[0].sha1_fingerprint],
url=example_cluster.identities[0].oidcs[0].issuer)import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as tls from "@pulumi/tls";
const exampleCluster = new aws.eks.Cluster("example", {});
const exampleCertificate = exampleCluster.identities.apply(identities => tls.getCertificate({
url: identities[0].oidcs[0].issuer,
}, { async: true }));
const exampleOpenIdConnectProvider = new aws.iam.OpenIdConnectProvider("example", {
clientIdLists: ["sts.amazonaws.com"],
thumbprintLists: [exampleCertificate.certificates[0].sha1Fingerprint],
url: exampleCluster.identities[0].oidcs[0].issuer,
});Using getCertificate
function getCertificate(args: GetCertificateArgs, opts?: InvokeOptions): Promise<GetCertificateResult>def get_certificate(url: Optional[str] = None, verify_chain: Optional[bool] = None, opts: Optional[InvokeOptions] = None) -> GetCertificateResultfunc GetCertificate(ctx *Context, args *GetCertificateArgs, opts ...InvokeOption) (*GetCertificateResult, error)Note: This function is named
GetCertificatein the Go SDK.
public static class GetCertificate {
public static Task<GetCertificateResult> InvokeAsync(GetCertificateArgs args, InvokeOptions? opts = null)
}The following arguments are supported:
- Url string
The URL of the website to get the certificates from.
- Verify
Chain bool Whether to verify the certificate chain while parsing it or not
- Url string
The URL of the website to get the certificates from.
- Verify
Chain bool Whether to verify the certificate chain while parsing it or not
- url string
The URL of the website to get the certificates from.
- verify
Chain boolean Whether to verify the certificate chain while parsing it or not
- url str
The URL of the website to get the certificates from.
- verify_
chain bool Whether to verify the certificate chain while parsing it or not
getCertificate Result
The following output properties are available:
- Certificates
List<Get
Certificate Certificate> The certificates protecting the site, with the root of the chain first. *
certificates.#.not_after- The time until which the certificate is invalid, as an RFC3339 timestamp. *certificates.#.not_before- The time after which the certificate is valid, as an RFC3339 timestamp. *certificates.#.is_ca-trueif this certificate is a ca certificate. *certificates.#.issuer- Who verified and signed the certificate, roughly following RFC2253. *certificates.#.public_key_algorithm- The algorithm used to create the certificate. *certificates.#.serial_number- Number that uniquely identifies the certificate with the CA’s system. Theformatfunction can be used to convert this base 10 number into other bases, such as hex. *certificates.#.sha1_fingerprint- The SHA1 fingerprint of the public key of the certificate. *certificates.#.signature_algorithm- The algorithm used to sign the certificate. *certificates.#.subject- The entity the certificate belongs to, roughly following RFC2253. *certificates.#.version- The version the certificate is in.- Id string
The provider-assigned unique ID for this managed resource.
- Url string
- Verify
Chain bool
- Certificates
[]Get
Certificate Certificate The certificates protecting the site, with the root of the chain first. *
certificates.#.not_after- The time until which the certificate is invalid, as an RFC3339 timestamp. *certificates.#.not_before- The time after which the certificate is valid, as an RFC3339 timestamp. *certificates.#.is_ca-trueif this certificate is a ca certificate. *certificates.#.issuer- Who verified and signed the certificate, roughly following RFC2253. *certificates.#.public_key_algorithm- The algorithm used to create the certificate. *certificates.#.serial_number- Number that uniquely identifies the certificate with the CA’s system. Theformatfunction can be used to convert this base 10 number into other bases, such as hex. *certificates.#.sha1_fingerprint- The SHA1 fingerprint of the public key of the certificate. *certificates.#.signature_algorithm- The algorithm used to sign the certificate. *certificates.#.subject- The entity the certificate belongs to, roughly following RFC2253. *certificates.#.version- The version the certificate is in.- Id string
The provider-assigned unique ID for this managed resource.
- Url string
- Verify
Chain bool
- certificates
Get
Certificate Certificate[] The certificates protecting the site, with the root of the chain first. *
certificates.#.not_after- The time until which the certificate is invalid, as an RFC3339 timestamp. *certificates.#.not_before- The time after which the certificate is valid, as an RFC3339 timestamp. *certificates.#.is_ca-trueif this certificate is a ca certificate. *certificates.#.issuer- Who verified and signed the certificate, roughly following RFC2253. *certificates.#.public_key_algorithm- The algorithm used to create the certificate. *certificates.#.serial_number- Number that uniquely identifies the certificate with the CA’s system. Theformatfunction can be used to convert this base 10 number into other bases, such as hex. *certificates.#.sha1_fingerprint- The SHA1 fingerprint of the public key of the certificate. *certificates.#.signature_algorithm- The algorithm used to sign the certificate. *certificates.#.subject- The entity the certificate belongs to, roughly following RFC2253. *certificates.#.version- The version the certificate is in.- id string
The provider-assigned unique ID for this managed resource.
- url string
- verify
Chain boolean
- certificates
Sequence[Get
Certificate Certificate] The certificates protecting the site, with the root of the chain first. *
certificates.#.not_after- The time until which the certificate is invalid, as an RFC3339 timestamp. *certificates.#.not_before- The time after which the certificate is valid, as an RFC3339 timestamp. *certificates.#.is_ca-trueif this certificate is a ca certificate. *certificates.#.issuer- Who verified and signed the certificate, roughly following RFC2253. *certificates.#.public_key_algorithm- The algorithm used to create the certificate. *certificates.#.serial_number- Number that uniquely identifies the certificate with the CA’s system. Theformatfunction can be used to convert this base 10 number into other bases, such as hex. *certificates.#.sha1_fingerprint- The SHA1 fingerprint of the public key of the certificate. *certificates.#.signature_algorithm- The algorithm used to sign the certificate. *certificates.#.subject- The entity the certificate belongs to, roughly following RFC2253. *certificates.#.version- The version the certificate is in.- id str
The provider-assigned unique ID for this managed resource.
- url str
- verify_
chain bool
Supporting Types
GetCertificateCertificate
- Is
Ca bool - Issuer string
- Not
After string - Not
Before string - Public
Key stringAlgorithm - Serial
Number string - Sha1Fingerprint string
- Signature
Algorithm string - Subject string
- Version int
- Is
Ca bool - Issuer string
- Not
After string - Not
Before string - Public
Key stringAlgorithm - Serial
Number string - Sha1Fingerprint string
- Signature
Algorithm string - Subject string
- Version int
- is
Ca boolean - issuer string
- not
After string - not
Before string - public
Key stringAlgorithm - serial
Number string - sha1Fingerprint string
- signature
Algorithm string - subject string
- version number
- is_
ca bool - issuer str
- not_
after str - not_
before str - public_
key_ stralgorithm - serial_
number str - sha1_
fingerprint str - signature_
algorithm str - subject str
- version int
Package Details
- Repository
- https://github.com/pulumi/pulumi-tls
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
tlsTerraform Provider.