[Docs]: Change IRSA example to include only CA fingerprint #32847
Comments
pnieweglowski
added
the
documentation
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
github-actions
bot
added
service/iam
|
Hey @pnieweglowski 👋 Thank you for taking the time to raise this, and for the helpful link! I've opened a pull request to update the documentation as needed. |
justinretzolk
removed
the
needs-triage
|
This functionality has been released in v5.12.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Documentation Link
website/docs/r/eks_cluster.html.markdown
Description
Pull request #26523 changed in example document, usage of resource aws_iam_openid_connect_provider, attribute thumbprint_list to contain list off all fingerprints from cert chain gathered from IdP.
As number of oidc's thumbprints in AWS is limited to 5, and cert chains with number of certificates exceeding 3 are quite common, it is easy to touch the hard limit of the resource.
In AWS IAM OIDC docs, there is a statement
IAM requires the thumbprint for the top intermediate certificate authority (CA) that signed the certificate used by the external identity provider (IdP)
so only first fingerprint from data.tls_certificate should be used.
References
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: