Extract OIDC provider thumbprint given an AWS EKS cluster name

oidc-thumbprint.sh

#!/bin/bash

set -e

if [ ! -z "$DEBUG" ] ; then
    set -x
fi

CLUSTER_NAME=$1

# Get cluster OIDC Provider for the cluster using AWS CLI
OIDC_PROVIDER=$(aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.identity.oidc.issuer" --output text)

# Ask OIDC Provider for JWKS host (remove schema and path with sed)
JWKS_URI=$(curl -s ${OIDC_PROVIDER}/.well-known/openid-configuration | jq -r '.jwks_uri' | sed -e "s/^https:\/\///" | sed 's/\/.*//')

# Extract all certificates in separate files
# https://unix.stackexchange.com/questions/368123/how-to-extract-the-root-ca-and-subordinate-ca-from-a-certificate-chain-in-linux
TEMP=$(mktemp -d -t oidc-eks-XXXX)
openssl s_client -servername $JWKS_URI -showcerts -connect $JWKS_URI:443 < /dev/null 2>/dev/null | awk -v dir="$TEMP" '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/{ if(/BEGIN/){a++}; out=dir"/cert00"a".crt"; print >out }'

# Assume last found certificate in chain is the ROOT_CA
ROOT_CA=$(ls -1 $TEMP/* | tail -1)

# Extract fingerprint in desired format (no header, no colons)
THUMBPRINT=$(openssl x509 -fingerprint -noout -in $ROOT_CA | sed 's/^.*=//' | sed 's/://g')

printf '{"thumbprint": "%s"}\n' $THUMBPRINT

rm -rf $TEMP

Thanks for this most helpful.

Although testing this, I did notice that what you get back in JWKS_URI seems to match the domain part of OIDC_PROVIDER, oidc.eks.eu-west-1.amazonaws.com in my case.

Not sure if that is always the case though.

Hey there, I am glad you find it of some use.

I am not sure either. I also wrote this one, from which it seems that the THUMBPRINT is actually the same for all regions: https://gist.github.com/riccardomc/a3891356b09516ab3f3b79a12e9b13e1

Just need to the same in a lambda now lol

In case you are interested Python version to do the same, https://gist.github.com/alastairhm/a2b1b5e6adde9d9626d84e531adf39ed