AWS IAM Openid Connect Provider

This page shows how to write Terraform and CloudFormation for IAM Openid Connect Provider and write them securely.

aws_iam_openid_connect_provider (Terraform)

The Openid Connect Provider in IAM can be configured in Terraform with the resource name aws_iam_openid_connect_provider. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

openid-connect.tf#L12
resource "aws_iam_openid_connect_provider" "cluster" {
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [data.external.thumb.result.thumbprint]
  url             = aws_eks_cluster.cluster.identity.0.oidc.0.issuer
}

K)%20OIDC_Provider.tf#L15
resource "aws_iam_openid_connect_provider" "EKS_OIDC" {
  url = data.aws_eks_cluster.EKS_CLUSTER.identity[0].oidc[0].issuer

  client_id_list = [
    "sts.amazonaws.com",
  ]
eks.tf#L113
resource "aws_iam_openid_connect_provider" "cluster" {
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [data.tls_certificate.cert.certificates[0].sha1_fingerprint]
  url             = aws_eks_cluster.cluster.identity[0].oidc[0].issuer
}

cluster.tf#L24
resource "aws_iam_openid_connect_provider" "main" {
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [data.external.thumb.result.thumbprint]
  url             = aws_eks_cluster.main.identity.0.oidc.0.issuer
}

24-cluster-irsa.tf#L10
resource "aws_iam_openid_connect_provider" "oidc_provider" {
  count           = var.enable_irsa ? 1 : 0
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [var.eks_oidc_thumbprint]
  url             = flatten(concat(aws_eks_cluster.cluster[*].identity[*].oidc.0.issuer, [""]))[0]
}

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Provides an IAM OpenID Connect provider.

Tips: Best Practices for The Other AWS IAM Resources

In addition to the aws_iam_account_password_policy, AWS IAM has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_iam_account_password_policy

Ensure AWS IAM account password policies requires long passwords

It's better to enforce the use of long and complex passwords to reduce the risk of bruteforce attacks.

Review your AWS IAM settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::IAM::OIDCProvider (CloudFormation)

The OIDCProvider in IAM can be configured in CloudFormation with the resource name AWS::IAM::OIDCProvider. The following sections describe 6 examples of how to use the resource and its parameters.

Example Usage from GitHub

GHA-terraform.yml#L46
    Type: AWS::IAM::OIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
      ClientIdList: [sigstore]
      ThumbprintList: [a031c46782e6e6c662c2c87c76da9aa62ccabd8e]

GHA-terraform.yml#L46
    Type: AWS::IAM::OIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
      ClientIdList: [sigstore]
      ThumbprintList: [a031c46782e6e6c662c2c87c76da9aa62ccabd8e]

GHA-terraform.yml#L46
    Type: AWS::IAM::OIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
      ClientIdList: [sigstore]
      ThumbprintList: [a031c46782e6e6c662c2c87c76da9aa62ccabd8e]

github_oidc_template.yml#L22
    Type: AWS::IAM::OIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
      ThumbprintList: [a031c46782e6e6c662c2c87c76da9aa62ccabd8e]
      ClientIdList: [sts.amazonaws.com]

iam.yml#L16
    Type: AWS::IAM::OIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
      ClientIdList:
        - sts.amazonaws.com
      ThumbprintList:
template.json#L1215
    "AWS::IAM::OIDCProvider": {
      "Type": "AWS::IAM::OIDCProvider",
      "Properties": {}
    },
    "AWS::Greengrass::LoggerDefinitionVersion": {
      "Type": "AWS::Greengrass::LoggerDefinitionVersion",

Parameters

Explanation in CloudFormation Registry

Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).

The OIDC provider that you create with this operation can be used as a principal in a role's trust policy. Such a policy establishes a trust relationship between AWS and the OIDC provider.

When you create the IAM OIDC provider, you specify the following:+ The URL of the OIDC identity provider (IdP) to trust+ A list of client IDs (also known as audiences) that identify the application or applications that are allowed to authenticate using the OIDC provider+ A list of thumbprints of one or more server certificates that the IdP usesYou get all of this information from the OIDC IdP that you want to use to access AWS.

Note The trust for the OIDC provider is derived from the IAM provider that this operation creates. Therefore, it is best to limit access to the CreateOpenIDConnectProvider operation to highly privileged users.

Frequently asked questions

What is AWS IAM Openid Connect Provider?

AWS IAM Openid Connect Provider is a resource for IAM of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS IAM Openid Connect Provider?

For Terraform, the osvaldotoja/eks-irsa, Kubernetes26/EKS_Modules%20OIDC_Provider.tf#L15) and brianbinbin/tf-eks source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the Snails8/terraform-ecs-nat-sample, Snails8/terraform-sample-ecs-public and Snails8/terraform-ecs-prd-laravel source code examples are useful. See the CloudFormation Example section for further details.