🖊️
Notes
  • Notes
  • aws
    • CloudWatch
    • EKS
    • IAM
    • Key Management Service (KMS)
    • security
      • Attacks against AWS infrastructure
    • vpc
      • AWS Transit Gateway
  • azure
    • Azure AD
    • Azure CDN
    • DNS in Azure
    • Hub-spoke network topology
    • Identity and access management
    • Azure Landing zones
    • Storage
  • certifications
    • aws-sa-pro
    • Certified Kubernetes Administrator
  • containers
    • Examples
    • Linux Container Primitives
  • databases
    • Relational databases
  • gcp
    • IAM
  • git
    • Git
  • golang
    • Building Go projects
    • Concurrency
    • Project structure
  • infosec
    • SSH
    • SSL
  • Kubernetes
    • Admission Controllers
    • Autoscaling
    • Debugging
    • Multi-tenancy
    • Network Policies
    • Pod Priority
    • Pod Security Policies
    • Secrets
    • StatefulSet
    • additional-services
      • Debugging ArgoCD RBAC
      • open-policy-agent
  • misc
    • FFmpeg
    • PDFs
  • programming
    • Learning resources
    • concepts
      • Serialization
  • rabbitmq
    • Clustering and HA
    • Shovel plugin
  • shells
    • Bash
  • terraform
    • Moving resources between remote states
  • vim
    • Fzf (plugin)
    • Registers
    • Spell Check
  • linux
    • arch
      • Arch Linux installation
Powered by GitBook
On this page
  • Service account IAM roles
  • Obtaining CA thumbprint of OIDC provider
  • Resources
  1. aws

EKS

PreviousCloudWatchNextIAM

Last updated 4 years ago

Service account IAM roles

Obtaining CA thumbprint of OIDC provider

AWS IAM identity provider needs to be configured with CA Thumbprint. More specifically, this is a SHA1 fingerprint (in lowercase and without colons) of the root CA certificate.

Thumbprint can be obtained with openssl or other tools, but there couple of shortcuts:

  • Oneliner from GH issue ():

echo | openssl s_client -servername oidc.eks.${REGION}.amazonaws.com -showcerts -connect oidc.eks.${REGION}.amazonaws.com:443 2>&- | tail -r | sed -n '/-----END CERTIFICATE-----/,/-----BEGIN CERTIFICATE-----/p; /-----BEGIN CERTIFICATE-----/q' | tail -r | openssl x509 -fingerprint -noout | sed 's/://g' | awk -F= '{print tolower($2)}'

  • kubergrunt tool ():

kubergrunt eks oidc-thumbprint --issuer-url $ISSUER_URL

Resources

Amazon EKS Best Practices Guide for Security -

https://github.com/terraform-providers/terraform-provider-aws/issues/10104
https://github.com/gruntwork-io/kubergrunt
https://aws.github.io/aws-eks-best-practices/