-
Notifications
You must be signed in to change notification settings - Fork 3.9k
/
oidc-provider.ts
52 lines (48 loc) · 1.78 KB
/
oidc-provider.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
import { Construct } from 'constructs';
import * as iam from '../../aws-iam';
/**
* Initialization properties for `OpenIdConnectProvider`.
*/
export interface OpenIdConnectProviderProps {
/**
* The URL of the identity provider. The URL must begin with https:// and
* should correspond to the iss claim in the provider's OpenID Connect ID
* tokens. Per the OIDC standard, path components are allowed but query
* parameters are not. Typically the URL consists of only a hostname, like
* https://server.example.org or https://example.com.
*
* You can find your OIDC Issuer URL by:
* aws eks describe-cluster --name %cluster_name% --query "cluster.identity.oidc.issuer" --output text
*/
readonly url: string;
}
/**
* IAM OIDC identity providers are entities in IAM that describe an external
* identity provider (IdP) service that supports the OpenID Connect (OIDC)
* standard, such as Google or Salesforce. You use an IAM OIDC identity provider
* when you want to establish trust between an OIDC-compatible IdP and your AWS
* account.
*
* This implementation has default values for thumbprints and clientIds props
* that will be compatible with the eks cluster
*
* @see http://openid.net/connect
* @see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
*
* @resource AWS::CloudFormation::CustomResource
*/
export class OpenIdConnectProvider extends iam.OpenIdConnectProvider {
/**
* Defines an OpenID Connect provider.
* @param scope The definition scope
* @param id Construct ID
* @param props Initialization properties
*/
public constructor(scope: Construct, id: string, props: OpenIdConnectProviderProps) {
const clientIds = ['sts.amazonaws.com'];
super(scope, id, {
url: props.url,
clientIds,
});
}
}