Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(iam): oidc provider fetches leaf certificate thumbprint instead of root #22802

Merged
merged 40 commits into from
Nov 12, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
2545059
fetch x509 certificates
iliapolo Nov 7, 2022
2444155
dynamic bucket name + retry logic for pinger
iliapolo Nov 7, 2022
1064d04
wrong file
iliapolo Nov 7, 2022
fbb9c54
mid work
iliapolo Nov 7, 2022
b9ea667
unused import
iliapolo Nov 7, 2022
e9a32b7
node 16 for provider to fetch x509 certs
iliapolo Nov 7, 2022
090fd13
comment
iliapolo Nov 7, 2022
a4bded6
simplify iam policies
iliapolo Nov 7, 2022
141bb30
revert perms
iliapolo Nov 7, 2022
9972bd8
revert
iliapolo Nov 7, 2022
85efbfe
cleanup
iliapolo Nov 7, 2022
c9db512
iam snapshot
iliapolo Nov 7, 2022
0f4782d
Merge branch 'main' into epolon/oidc-x509
vinayak-kukreja Nov 7, 2022
b4ddd39
mid work
iliapolo Nov 8, 2022
ce3b5ee
fix(gamelift): restrict policy to access Script / Build content in S3…
stevehouel Nov 8, 2022
be6c87a
fix(cloudfront): custom originId not used for multiple behaviors with…
patricksuter Nov 8, 2022
e17b970
feat(gamelift): add GameServerGroup L2 Construct for GameLift (#22762)
stevehouel Nov 8, 2022
2ef95d5
feat(lambda-layer-node-proxy-agent): depend on @awscdk/asset-node-pro…
kaizencc Nov 8, 2022
a452d1c
chore(iam): add a `PrecreatedRole` class (#22824)
corymhall Nov 8, 2022
aa4a19d
feat: lambda-layer-awscli): depend on @awscdk/asset-awscli-v1 and red…
kaizencc Nov 8, 2022
7dbae01
reset snapshot to main
iliapolo Nov 8, 2022
042c877
iam snapshot
iliapolo Nov 9, 2022
5224260
fix test according to new behavior
iliapolo Nov 9, 2022
7e0eaeb
reset snapshot to main
iliapolo Nov 9, 2022
2c317b8
reset snapshot to main
iliapolo Nov 9, 2022
75cc85e
more snaphosts
iliapolo Nov 9, 2022
0ed862e
more snaphosts
iliapolo Nov 9, 2022
239e076
more snaphosts
iliapolo Nov 10, 2022
e89ce66
more snaphosts
iliapolo Nov 10, 2022
b1aacd9
Merge branch 'main' into epolon/oidc-x509
iliapolo Nov 10, 2022
6a0ce3c
more snaphosts
iliapolo Nov 10, 2022
5e18b1c
Merge branch 'main' into epolon/oidc-x509
iliapolo Nov 10, 2022
0c374c2
Merge branch 'main' into epolon/oidc-x509
iliapolo Nov 10, 2022
dda2f29
more snaphosts
iliapolo Nov 10, 2022
9019215
more snaphosts
iliapolo Nov 10, 2022
60cb766
more snaphosts
iliapolo Nov 11, 2022
d377197
Merge branch 'main' into epolon/oidc-x509
iliapolo Nov 11, 2022
eded609
dont typecheck x509 file
iliapolo Nov 11, 2022
dd01b5f
Merge branch 'main' into epolon/oidc-x509
iliapolo Nov 11, 2022
5f6a5d6
Merge branch 'main' into epolon/oidc-x509
iliapolo Nov 11, 2022
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 0 additions & 7 deletions packages/@aws-cdk/aws-eks/lib/oidc-provider.ts
Original file line number Diff line number Diff line change
Expand Up @@ -41,18 +41,11 @@ export class OpenIdConnectProvider extends iam.OpenIdConnectProvider {
* @param props Initialization properties
*/
public constructor(scope: Construct, id: string, props: OpenIdConnectProviderProps) {
/**
* For some reason EKS isn't validating the root certificate but a intermediate certificate
* which is one level up in the tree. Because of the a constant thumbprint value has to be
* stated with this OpenID Connect provider. The certificate thumbprint is the same for all the regions.
*/
const thumbprints = ['9e99a48a9960b14926bb7f3b02e22da2b0ab7280'];
iliapolo marked this conversation as resolved.
Show resolved Hide resolved

const clientIds = ['sts.amazonaws.com'];

super(scope, id, {
url: props.url,
thumbprints,
clientIds,
});
}
Expand Down
17 changes: 7 additions & 10 deletions packages/@aws-cdk/aws-eks/test/bucket-pinger/bucket-pinger.ts
Original file line number Diff line number Diff line change
@@ -1,30 +1,27 @@
import * as ec2 from '@aws-cdk/aws-ec2';
import * as iam from '@aws-cdk/aws-iam';
import * as lambda from '@aws-cdk/aws-lambda';
import { CustomResource, Token, Duration } from '@aws-cdk/core';
import * as cr from '@aws-cdk/custom-resources';
import { Construct } from 'constructs';

export interface PingerProps {
readonly securityGroup?: ec2.SecurityGroup;
readonly vpc?: ec2.IVpc;
readonly subnets?: ec2.ISubnet[];
export interface BucketPingerProps {
readonly bucketName: string;
}
export class BucketPinger extends Construct {

private _resource: CustomResource;

constructor(scope: Construct, id: string, props: PingerProps) {
constructor(scope: Construct, id: string, props: BucketPingerProps) {
super(scope, id);

const func = new lambda.Function(this, 'Function', {
code: lambda.Code.fromAsset(`${__dirname}/function`),
handler: 'index.handler',
runtime: lambda.Runtime.PYTHON_3_9,
vpc: props.vpc,
vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined,
securityGroups: props.securityGroup ? [props.securityGroup] : undefined,
iliapolo marked this conversation as resolved.
Show resolved Hide resolved
timeout: Duration.minutes(1),
environment: {
BUCKET_NAME: props.bucketName,
},
});

if (!func.role) {
Expand All @@ -33,7 +30,7 @@ export class BucketPinger extends Construct {

func.role.addToPrincipalPolicy(new iam.PolicyStatement({
actions: ['s3:DeleteBucket', 's3:ListBucket'],
resources: ['arn:aws:s3:::*'],
resources: [`arn:aws:s3:::${props.bucketName}`],
iliapolo marked this conversation as resolved.
Show resolved Hide resolved
}));

const provider = new cr.Provider(this, 'Provider', {
Expand Down
16 changes: 10 additions & 6 deletions packages/@aws-cdk/aws-eks/test/bucket-pinger/function/index.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
import json
import logging
import boto3
import time
import os

logger = logging.getLogger()
logger.setLevel(logging.INFO)
Expand All @@ -11,17 +13,19 @@ def handler(event, context):
request_type = event['RequestType']
props = event['ResourceProperties']

s3_bucket_name = 'amazingly-made-sdk-call-created-eks-bucket'
s3_bucket_name = os.environ['BUCKET_NAME']
s3 = boto3.client('s3')

if request_type in ['Create', 'Update']:
logger.info(f'making sdk call to check if bucket with name {s3_bucket_name} exists')
while (True): # lambda will eventually time this out in case of consistent failures
try:
s3.head_bucket(Bucket=s3_bucket_name)
return {'Data': {'Value': f'confirmed that bucket with name {s3_bucket_name} exists' }}
except Exception as error:
logger.error(f'failed to head bucket with error: {str(error)}')
time.sleep(5)

try:
s3.head_bucket(Bucket=s3_bucket_name)
except Exception as error:
raise RuntimeError(f'failed to head bucket with error: {str(error)}')
return {'Data': {'Value': f'confirmed that bucket with name {s3_bucket_name} exists' }}

elif request_type == 'Delete':
logger.info(f'making sdk call to delete bucket with name {s3_bucket_name}')
Expand Down
3 changes: 0 additions & 3 deletions packages/@aws-cdk/aws-eks/test/cluster.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2156,9 +2156,6 @@ describe('cluster', () => {
ClientIDList: [
'sts.amazonaws.com',
],
ThumbprintList: [
'9e99a48a9960b14926bb7f3b02e22da2b0ab7280',
],
Url: {
'Fn::GetAtt': [
'Cluster9EE0221C',
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading