class OidcProviderNative (construct)
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.IAM.OidcProviderNative |
 Go | github.com/aws/aws-cdk-go/awscdk/v2/awsiam#OidcProviderNative |
 Java | software.amazon.awscdk.services.iam.OidcProviderNative |
 Python | aws_cdk.aws_iam.OidcProviderNative |
 TypeScript (source) | aws-cdk-lib » aws_iam » OidcProviderNative |
Implements
IConstruct, IDependable, IResource, IOidc
IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce.
You use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account. This is useful when creating a mobile app or web application that requires access to AWS resources, but you don't want to create custom sign-in code or manage your own user identities.
See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
Example
const nativeProvider = new iam.OidcProviderNative(this, 'MyProvider', {
url: 'https://openid/connect',
clientIds: [ 'myclient1', 'myclient2' ],
thumbprints: ['aa00aa1122aa00aa1122aa00aa1122aa00aa1122'],
});
Initializer
new OidcProviderNative(scope: Construct, id: string, props: OidcProviderNativeProps)
Parameters
- scope
Construct— The definition scope. - id
string— Construct ID. - props
Oidc— Initialization properties.Provider Native Props
Defines a Native OpenID Connect provider.
Construct Props
| Name | Type | Description |
|---|---|---|
| url | string | The URL of the identity provider. |
| client | string[] | A list of client IDs (also known as audiences). |
| oidc | string | The name of the Native OIDC Provider. |
| thumbprints? | string[] | A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificates. |
url
Type:
string
The URL of the identity provider.
The URL must begin with https:// and should correspond to the iss claim in the provider's OpenID Connect ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com.
You cannot register the same provider multiple times in a single AWS account. If you try to submit a URL that has already been used for an OpenID Connect provider in the AWS account, you will get an error.
Warning: This URL cannot contain any port numbers
clientIds?
Type:
string[]
(optional, default: no clients are allowed)
A list of client IDs (also known as audiences).
When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.)
You can register multiple client IDs with the same provider. For example, you might have multiple applications that use the same OIDC provider. You cannot register more than 100 client IDs with a single IAM OIDC provider.
Client IDs are up to 255 characters long.
oidcProviderName?
Type:
string
(optional, default: A name is automatically generated.)
The name of the Native OIDC Provider.
thumbprints?
Type:
string[]
(optional, default: no thumbprints are allowed. IAM will retrieve and use thumbprint
of idenity provider server cerctificate)
A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificates.
Typically this list includes only 1 entry or empty. However, IAM lets you have up to 5 thumbprints for an OIDC provider. This lets you maintain multiple thumbprints if the identity provider is rotating certificates.
The server certificate thumbprint is the hex-encoded SHA-1 hash value of the X.509 certificate used by the domain where the OpenID Connect provider makes its keys available. It is always a 40-character string.
For example, assume that the OIDC provider is server.example.com and the provider stores its keys at https://keys.server.example.com/openid-connect. In that case, the thumbprint string would be the hex-encoded SHA-1 hash value of the certificate used by https://keys.server.example.com.
This property is optional. If it is not included, IAM will retrieve and use the top intermediate certificate authority (CA) thumbprint of the OpenID Connect identity provider server certificate.
Obtain the thumbprint of the root certificate authority from the provider's server as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
Properties
| Name | Type | Description |
|---|---|---|
| env | Resource | The environment this resource belongs to. |
| node | Node | The tree node. |
| oidc | string | The Amazon Resource Name (ARN) of the Native IAM OpenID Connect provider. |
| oidc | string | The issuer for the Native OIDC Provider. |
| oidc | string | The thumbprints configured for this provider. |
| stack | Stack | The stack in which this resource is defined. |
| static PROPERTY_INJECTION_ID | string | Uniquely identifies this class. |
env
Type:
Resource
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
node
Type:
Node
The tree node.
oidcProviderArn
Type:
string
The Amazon Resource Name (ARN) of the Native IAM OpenID Connect provider.
oidcProviderIssuer
Type:
string
The issuer for the Native OIDC Provider.
oidcProviderThumbprints
Type:
string
The thumbprints configured for this provider.
stack
Type:
Stack
The stack in which this resource is defined.
static PROPERTY_INJECTION_ID
Type:
string
Uniquely identifies this class.
Methods
| Name | Description |
|---|---|
| apply | Apply the given removal policy to this resource. |
| to | Returns a string representation of this construct. |
| static from | Imports an Open ID connect provider from an ARN. |
applyRemovalPolicy(policy)
public applyRemovalPolicy(policy: RemovalPolicy): void
Parameters
- policy
RemovalPolicy
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN).
toString()
public toString(): string
Returns
string
Returns a string representation of this construct.
static fromOidcProviderArn(scope, id, oidcProviderArn)
public static fromOidcProviderArn(scope: Construct, id: string, oidcProviderArn: string): IOidcProvider
Parameters
- scope
Construct— The definition scope. - id
string— ID of the construct. - oidcProviderArn
string— the ARN to import.
Returns
Imports an Open ID connect provider from an ARN.