How do I fix an OIDC thumbprint mismatch?
We have configured GitHub Actions to be able to assume the deployment role in our Reference Architecture `shared` account to upload build assets (from Serverless Framework) to S3 so our Terraform modules can read them from a centralized location to deploy to application accounts. A GitHub Actions run failed today with this error: > Error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint Some Googling turned up this blog post from GitHub: https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/ it seems that at some point recently they added a second certificate chain with different thumbprint to the GitHub Actions service. How do we fix this? (this post was modified from it's original to pose it as a question with an answer in a comment so that the answer could be marked as accepted) --- <ins datetime="2023-07-04T17:26:51Z"> <p><a href="https://support.gruntwork.io/hc/requests/110320">Tracked in ticket #110320</a></p> </ins>
Credit to @adamlundrigan (I extracted this from his initial post): I checked our `account-baseline-app` module for `shared` and we're not explicitly setting a list of thumbprints via `github_actions_openid_connect_provider_thumbprint_list`, which means the Terraform is falling back to extracting the certificate thumbprint from `https://token.actions.githubusercontent.com`: https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/2b35fe7ab89482e57a5746f1b14e31974dfb8f22/modules/landingzone/account-baseline-app/main.tf#L552-L558 this presumably only extracts one of the thumbprints (the one for the certificate `https://token.actions.githubusercontent.com` used), which then causes our GitHub Actions runs to intermittently fail when the Actions server connects to GitHub using a different certificate than was previously detected. Our workaround is to hard-code the list of thumbprints: ``` github_actions_openid_connect_provider_thumbprint_list = [ "6938fd4d98bab03faadb97b34396831e3780aea1", "1c58a3a8518e8759bf075b76b750d4f2df264fcd", ] ``` We should fix the extraction to pull _both_ certificates. Thanks, @adamlundrigan !