Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Actions OIDC thumbprint mismatch in code coverage jobs #533

Closed
lopopolo opened this issue Jul 3, 2023 · 1 comment · Fixed by #534
Closed

GitHub Actions OIDC thumbprint mismatch in code coverage jobs #533

lopopolo opened this issue Jul 3, 2023 · 1 comment · Fixed by #534
Labels
A-aws Area: AWS infrastructure as code. A-github-actions Area: GitHub Actions workflows and automation. S-blocked Status: Marked as blocked ❌ on something else such as other implementation work.

Comments

@lopopolo
Copy link
Member

lopopolo commented Jul 3, 2023
edited
Loading

Build Failure

https://github.com/artichoke/posix-space/actions/runs/5439193865/jobs/9891002518

OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

GitHub Announcement

https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/

We have received customers reporting errors with Actions’ OIDC integration with AWS. This happens for customers who are pinned to a single intermediary thumbprint from the Certificate Authority (CA) of the Actions SSL certificate.

There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by our servers, requiring customers to trust both. This is a known behavior when the intermediary certificates are cross-signed by the CA.

Customers experiencing issues authenticating via OIDC with AWS should configure both thumbprints to be trusted in the AWS portal.

The two known intermediary thumbprints at this time are:

  • 6938fd4d98bab03faadb97b34396831e3780aea1
  • 1c58a3a8518e8759bf075b76b750d4f2df264fcd

Learn more about using OIDC with GitHub Actions.

See also:

Implicated Code

project-infrastructure/modules/github-actions-oidc-provider/main.tf

Lines 5 to 14 in 59cb12c

resource "aws_iam_openid_connect_provider" "github" {
url = "https://token.actions.githubusercontent.com"
client_id_list = [
"sts.amazonaws.com"
]
# https://github.blog/changelog/2022-01-13-github-actions-update-on-oidc-based-deployments-to-aws/
thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"]
}

@lopopolo lopopolo added A-aws Area: AWS infrastructure as code. A-github-actions Area: GitHub Actions workflows and automation. S-blocked Status: Marked as blocked ❌ on something else such as other implementation work. labels Jul 3, 2023
@lopopolo
Copy link
Member Author

lopopolo commented Jul 3, 2023

This issue is blocked because #522 is open and WIP but has applied its changes to the state.

@lopopolo lopopolo mentioned this issue Jul 3, 2023
Merged
lopopolo added a commit that referenced this issue Jul 3, 2023
@lopopolo
Add additional GitHub Actions OIDC thumbprint
ec45c2c 
These changes are applied:

```
Terraform will perform the following actions:

  # module.github_actions_oidc_provider.aws_iam_openid_connect_provider.github will be updated in-place
  ~ resource "aws_iam_openid_connect_provider" "github" {
        id              = "arn:aws:iam::447522982029:oidc-provider/token.actions.githubusercontent.com"
        tags            = {}
      ~ thumbprint_list = [
            "6938fd4d98bab03faadb97b34396831e3780aea1",
          + "1c58a3a8518e8759bf075b76b750d4f2df264fcd",
        ]
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
```

See: https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/
Fixes #533
@lopopolo lopopolo mentioned this issue Jul 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-aws Area: AWS infrastructure as code. A-github-actions Area: GitHub Actions workflows and automation. S-blocked Status: Marked as blocked ❌ on something else such as other implementation work.
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add additional GitHub Actions OIDC thumbprint artichoke/project-infrastructure
1 participant
@lopopolo