-
Notifications
You must be signed in to change notification settings - Fork 479
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint #579
Comments
Sorry, I just found this closed issue that sounds similar: Has the problem reoccurred? |
Seeing the same error as well in our pipeline just now. No changes were made to our OpenIDConnect provider in IAM. We are using |
Same issue this morning. Can confirm our thumbprint didn't change overnight. Also using @v1-node16. |
Same error I am seeing as well using |
Open source project seeing the same issue, using this OIDC provider, in case that helps with reproduction. From a recent job:
FYI, this was caused by a bug in CDK. It seems to have been fixed three days ago. |
I had a same issue, but solved it by adding the latest fingerprint from this one-liner to ID provider. |
AWS pins OIDC IdentityProvider's ICA(Intermediate CA) thumbprint while creating an IdP from the AWS console. I dont see any change in the ICA and the thumbprint ( FYI: If you are creating IDP from CLI, follow this doc to get thumbprint. |
I can get |
Yeah I think that is certificate's thumbprint. If you try creating IdP frm IAM console it uses ICA's thumbprint The thumbprint of the certificate will vary with each rotation, but the not the ICA's(This is also not guaranteed but generally ppl use same ICA for certian period). |
Using the |
Thanks for all the links everyone - Adding the new thumbprint fixed it for me. I had originally created the Open ID Connect Provider using AWS CDK like this:
There is an optional |
CDK fetches the thumbprint for you when you deploy. GitHub recently updated the certificate (which will happen again in another year), hence the reason this came up.
|
Just to confirm, everyone running into this issue is defining the OIDC provider through CDK right? |
Yep, that's how I ran into the issue 👍 And this solution worked for me. All sorted now. |
Update to aws-cdk with fix is now available |
|
Describe the bug
My github workflows that use
aws-actions/configure-aws-credentials@v1-node16
have stopped working today. No changes have been made recently to the workflows, or my AWS accounts.Expected Behavior
The step should succeed without any error.
Current Behavior
Error logged in the GitHub runner
Reproduction Steps
I've copied what I think are the relevant parts of my workflow yml.
Possible Solution
No response
Additional Information/Context
No response
The text was updated successfully, but these errors were encountered: