How do I fix an OIDC thumbprint mismatch? #750

adamlundrigan · 2023-07-04T17:26:51Z

adamlundrigan
Jul 4, 2023

We have configured GitHub Actions to be able to assume the deployment role in our Reference Architecture shared account to upload build assets (from Serverless Framework) to S3 so our Terraform modules can read them from a centralized location to deploy to application accounts.

A GitHub Actions run failed today with this error:

Error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

Some Googling turned up this blog post from GitHub:
https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/

it seems that at some point recently they added a second certificate chain with different thumbprint to the GitHub Actions service.

How do we fix this?

(this post was modified from it's original to pose it as a question with an answer in a comment so that the answer could be marked as accepted)

Tracked in ticket #110320

Answered by pete0emerson

Jul 5, 2023

Credit to @adamlundrigan (I extracted this from his initial post):

I checked our account-baseline-app module for shared and we're not explicitly setting a list of thumbprints via github_actions_openid_connect_provider_thumbprint_list, which means the Terraform is falling back to extracting the certificate thumbprint from https://token.actions.githubusercontent.com:

https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/2b35fe7ab89482e57a5746f1b14e31974dfb8f22/modules/landingzone/account-baseline-app/main.tf#L552-L558

this presumably only extracts one of the thumbprints (the one for the certificate https://token.actions.githubusercontent.com used), which then causes our GitHub …

View full answer

pete0emerson · 2023-07-05T14:46:11Z

pete0emerson
Jul 5, 2023

Credit to @adamlundrigan (I extracted this from his initial post):

I checked our account-baseline-app module for shared and we're not explicitly setting a list of thumbprints via github_actions_openid_connect_provider_thumbprint_list, which means the Terraform is falling back to extracting the certificate thumbprint from https://token.actions.githubusercontent.com:

https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/2b35fe7ab89482e57a5746f1b14e31974dfb8f22/modules/landingzone/account-baseline-app/main.tf#L552-L558

this presumably only extracts one of the thumbprints (the one for the certificate https://token.actions.githubusercontent.com used), which then causes our GitHub Actions runs to intermittently fail when the Actions server connects to GitHub using a different certificate than was previously detected.

Our workaround is to hard-code the list of thumbprints:

  github_actions_openid_connect_provider_thumbprint_list = [
    "6938fd4d98bab03faadb97b34396831e3780aea1",
    "1c58a3a8518e8759bf075b76b750d4f2df264fcd",
  ]

We should fix the extraction to pull both certificates.

Thanks, @adamlundrigan !

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Gruntwork

How do I fix an OIDC thumbprint mismatch? #750

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Gruntwork

How do I fix an OIDC thumbprint mismatch? #750

adamlundrigan Jul 4, 2023

Replies: 1 comment

pete0emerson Jul 5, 2023

adamlundrigan
Jul 4, 2023

pete0emerson
Jul 5, 2023