OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

Last week I got an error in a GitHub Actions workflow when running aws-actions/configure-aws-credentials:

OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

Somewhere deep in my mind, I remembered that I have seen this error before. It turned out that was the case in January 2022. Nothing wrong with my memory!

The solution is simple and described in a blog post by GitHub on June 27, 2023. Ensure you’ve configured the two thumbprints in your AWS OIDC provider:

6938fd4d98bab03faadb97b34396831e3780aea1
1c58a3a8518e8759bf075b76b750d4f2df264fcd

But that’s doing it manually. Can we automate this with Terraform? We don’t want to do anything by hand, so we manage AWS resources with Terraform. It gives insight, and we track hosting-related changes in Git.

I stumbled upon this solution. It uses the tls_certificate resource to get a thumbprint:

# DON'T USE THIS CODE
provider "tls" {}

data "tls_certificate" "github" {
    url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
}

resource "aws_iam_openid_connect_provider" "github" {
    client_id_list  = ["sts.amazonaws.com"]
    thumbprint_list = [data.tls_certificate.github.certificates[0].sha1_fingerprint]
    url             = "https://token.actions.githubusercontent.com"
}

But this doesn’t work. It only adds one thumbprint, but it should be two to work all the time. GitHub clearly states that in their blog post:

“There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by our servers, requiring customers to trust both.”

So the thumbprint should be added hard coded:

resource "aws_iam_openid_connect_provider" "GitHub" {
   client_id_list = ["sts.amazonaws.com"]
   thumbprint_list = [
       "6938fd4d98bab03faadb97b34396831e3780aea1",
       "1c58a3a8518e8759bf075b76b750d4f2df264fcd",
   ]
   url = "https://token.actions.githubusercontent.com"
}

That’s it. No automatisch, just hard coded. I hope GitHub won’t make the mistake with the certificates again.

I hope this helps. Have a nice day!