OpenIdConnectProvider

class aws_cdk.aws_iam.OpenIdConnectProvider(scope, id, *, url, client_ids=None, thumbprints=None)

Bases: Resource

IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce.

You use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account. This is useful when creating a mobile app or web application that requires access to AWS resources, but you don’t want to create custom sign-in code or manage your own user identities.

⚠️ IMPORTANT NOTICE FOR CONTRIBUTORS ⚠️

DO NOT ADD NEW FEATURES TO THIS CONSTRUCT

This construct uses a custom resource with Lambda functions and is maintained for backward compatibility only. We cannot deprecate it due to its usage in existing services like EKS (see https://github.com/aws/aws-cdk/pull/28634#discussion_r1842962697).

For new functionality, developers should use OidcProviderNative instead, which utilizes the native CloudFormation resource AWS::IAM::OIDCProvider and provides the same functionality with less complexity.

If you are considering adding features to this construct, please:

  1. Consider implementing the feature in OidcProviderNative instead

  2. Discuss with the CDK team before proceeding

  3. Ensure any changes maintain strict backward compatibility

See:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html

Resource:

AWS::CloudFormation::CustomResource

ExampleMetadata:

infused

Example:

provider = iam.OpenIdConnectProvider(self, "MyProvider",
    url="https://openid/connect",
    client_ids=["myclient1", "myclient2"]
)

Defines an OpenID Connect provider.

Parameters:

  • scope (Construct) – The definition scope.

  • id (str) – Construct ID.

  • url (str) – The URL of the identity provider. The URL must begin with https:// and should correspond to the iss claim in the provider’s OpenID Connect ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com. You cannot register the same provider multiple times in a single AWS account. If you try to submit a URL that has already been used for an OpenID Connect provider in the AWS account, you will get an error.

  • client_ids (Optional[Sequence[str]]) – A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that’s sent as the client_id parameter on OAuth requests.) You can register multiple client IDs with the same provider. For example, you might have multiple applications that use the same OIDC provider. You cannot register more than 100 client IDs with a single IAM OIDC provider. Client IDs are up to 255 characters long. Default: - no clients are allowed

  • thumbprints (Optional[Sequence[str]]) – A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider’s server certificates. Typically this list includes only one entry. However, IAM lets you have up to five thumbprints for an OIDC provider. This lets you maintain multiple thumbprints if the identity provider is rotating certificates. The server certificate thumbprint is the hex-encoded SHA-1 hash value of the X.509 certificate used by the domain where the OpenID Connect provider makes its keys available. It is always a 40-character string. You must provide at least one thumbprint when creating an IAM OIDC provider. For example, assume that the OIDC provider is server.example.com and the provider stores its keys at https://keys.server.example.com/openid-connect. In that case, the thumbprint string would be the hex-encoded SHA-1 hash value of the certificate used by https://keys.server.example.com. Default: - If no thumbprints are specified (an empty array or undefined), the thumbprint of the root certificate authority will be obtained from the provider’s server as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

Methods

apply_removal_policy(policy)

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

Parameters:

policy (RemovalPolicy)

Return type:

None

to_string()

Returns a string representation of this construct.

Return type:

str

Attributes

PROPERTY_INJECTION_ID = 'aws-cdk-lib.aws-iam.OpenIdConnectProvider'
env

The environment this resource belongs to.

For resources that are created and managed in a Stack (those created by creating new class instances like new Role(), new Bucket(), etc.), this is always the same as the environment of the stack they belong to.

For referenced resources (those obtained from referencing methods like Role.fromRoleArn(), Bucket.fromBucketName(), etc.), they might be different than the stack they were imported into.

node

The tree node.

oidc_provider_ref

A reference to a OIDCProvider resource.

open_id_connect_provider_arn

The Amazon Resource Name (ARN) of the IAM OpenID Connect provider.

open_id_connect_provider_issuer

The issuer for OIDC Provider.

open_id_connect_providerthumbprints

The thumbprints configured for this provider.

stack

The stack in which this resource is defined.

Static Methods

classmethod from_open_id_connect_provider_arn(scope, id, open_id_connect_provider_arn)

Imports an Open ID connect provider from an ARN.

Parameters:

  • scope (Construct) – The definition scope.

  • id (str) – ID of the construct.

  • open_id_connect_provider_arn (str) – the ARN to import.

Return type:

IOpenIdConnectProvider

classmethod is_construct(x)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

Parameters:

x (Any) – Any object.

Return type:

bool

Returns:

true if x is an object created from a class which extends Construct.

classmethod is_owned_resource(construct)

Returns true if the construct was created by CDK, and false otherwise.

Parameters:

construct (IConstruct)

Return type:

bool

classmethod is_resource(construct)

Check whether the given construct is a Resource.

Parameters:

construct (IConstruct)

Return type:

bool