Skip to content
This repository has been archived by the owner on Apr 29, 2023. It is now read-only.

OIDCプロバイダーにthumbprintsを明示的に指定する #1482

Merged
merged 2 commits into from
Nov 18, 2022
Merged

OIDCプロバイダーにthumbprintsを明示的に指定する #1482

merged 2 commits into from
Nov 18, 2022

Conversation

massongit
Copy link
Member

@massongit massongit commented Nov 15, 2022
edited
Loading

aws/aws-cdk#8607

GitHub ActionsからOIDC経由でAWSにアクセスできなくなっているので、OIDCプロバイダーにthumbprintsを明示的に指定します。
CIから cdk diffcdk deploy が実行できないので、approveをもらったら手元で cdk deploy を実行し、CIを再実行してマージする予定です。

[手元でのcdk diff]

$ cdk diff
Bundling asset Stack-youtube-streaming-watcher/Function-notify/Code/Stage...

  cdk.out/bundling-temp-cb7f3c84307603a7f3b18c54aa1a86cae1f73919b64b1f321f917d2bd51c43a6/index.js      10.9mb ⚠️
  cdk.out/bundling-temp-cb7f3c84307603a7f3b18c54aa1a86cae1f73919b64b1f321f917d2bd51c43a6/index.js.map  37.1mb

⚡ Done in 907ms
Bundling asset Stack-youtube-streaming-watcher/Function-reply/Code/Stage...

  cdk.out/bundling-temp-77d926a2a53e0843ad3a0aadbf658de93a9b4aa8b5c8b862ec401c9d0456cfb5/index.js      2.9mb ⚠️
  cdk.out/bundling-temp-77d926a2a53e0843ad3a0aadbf658de93a9b4aa8b5c8b862ec401c9d0456cfb5/index.js.map  7.4mb

⚡ Done in 175ms
Stack Stack-youtube-streaming-watcher
Resources
[~] Custom::AWSCDKOpenIdConnectProvider OIDCProvider-github/Resource OIDCProvidergithubA71ED85C 
 └─ [+] ThumbprintList
     └─ ["6938FD4D98BAB03FAADB97B34396831E3780AEA1"]


NOTICES

8607    aws-iam: IAM OIDC provider configures the wrong certificate thumbprint

        Overview: Your application is using the iam.OpenIDConnectProvider
                  resource, which currently configures the thumbprint of the
                  leaf certificate instead of the root. Since leaf
                  certificates are rotated more frequently, you are in danger
                  of application errors next time those certificates get
                  rotated. See the attached issue for mitigation steps and
                  apply them as soon as possible.

        Affected versions: aws-cdk-lib.aws_iam.OpenIdConnectProvider: ^2.0.0, @aws-cdk/aws-iam.OpenIdConnectProvider: ^1.0.0

        More information at: https://github.com/aws/aws-cdk/issues/8607


If you don’t want to see a notice anymore, use "cdk acknowledge <id>". For example, "cdk acknowledge 8607".

@github-actions github-actions bot mentioned this pull request Nov 15, 2022
Merged
@github-actions
formatを直してあげたよ! (#1483)
6657336 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
massongit
massongit commented Nov 15, 2022
View reviewed changes
lib/cdk-stack.ts
@@ -125,7 +125,8 @@ export class CdkStack extends Stack {
const oidcAud = 'sts.amazonaws.com'
const provider = new iam.OpenIdConnectProvider(this, 'OIDCProvider-github', {
url: 'https://token.actions.githubusercontent.com',
clientIds: [oidcAud]
clientIds: [oidcAud],
thumbprints: ['6938FD4D98BAB03FAADB97B34396831E3780AEA1']
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html の手順に従って生成。

@github-actions
Copy link
Contributor

インフラの差分

Bundling asset Stack-youtube-streaming-watcher/Function-notify/Code/Stage...

  ...f1999402527474193e348e9f6481218bd10c8d5c3b99b8372aabff/index.js  10.9mb ⚠️
  ...9402527474193e348e9f6481218bd10c8d5c3b99b8372aabff/index.js.map  37.1mb

⚡ Done in 1603ms
Bundling asset Stack-youtube-streaming-watcher/Function-reply/Code/Stage...

  ...e3d16001f2cb9243a9ccdf76dbb3d0936ecf6dd71aab26d0b3c914a/index.js  2.9mb ⚠️
  ...6001f2cb9243a9ccdf76dbb3d0936ecf6dd71aab26d0b3c914a/index.js.map  7.4mb

⚡ Done in 580ms
Stack Stack-youtube-streaming-watcher
There were no differences

NOTICES

8607	aws-iam: IAM OIDC provider configures the wrong certificate thumbprint

	Overview: Your application is using the iam.OpenIDConnectProvider
	          resource, which currently configures the thumbprint of the
	          leaf certificate instead of the root. Since leaf
	          certificates are rotated more frequently, you are in danger
	          of application errors next time those certificates get
	          rotated. See the attached issue for mitigation steps and
	          apply them as soon as possible.

	Affected versions: aws-cdk-lib.aws_iam.OpenIdConnectProvider: ^2.0.0, @aws-cdk/aws-iam.OpenIdConnectProvider: ^1.0.0

	More information at: https://github.com/aws/aws-cdk/issues/8607


If you don’t want to see a notice anymore, use "cdk acknowledge <id>". For example, "cdk acknowledge 8607".

@massongit massongit merged commit a869f2b into main Nov 18, 2022
@massongit massongit deleted the add_thumbprints branch November 18, 2022 20:33
massongit added a commit that referenced this pull request Nov 18, 2022
@massongit
Revert "OIDCプロバイダーにthumbprintsを明示的に指定する (#1482)"
d7ed3b3 
This reverts commit a869f2b.
@massongit massongit mentioned this pull request Nov 18, 2022
Merged
massongit added a commit that referenced this pull request Nov 18, 2022
@massongit
Revert "OIDCプロバイダーにthumbprintsを明示的に指定する (#1482)" (#1492)
b92886a 
This reverts commit a869f2b.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Goryudyuma Goryudyuma Goryudyuma approved these changes

Assignees
No one assigned
Labels
review please
Projects
task list
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@massongit @Goryudyuma