aws-cdk-lib.aws_iam.OpenIdConnectProvider

class OpenIdConnectProvider (construct)

LanguageType name
.NETAmazon.CDK.AWS.IAM.OpenIdConnectProvider
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsiam#OpenIdConnectProvider
Javasoftware.amazon.awscdk.services.iam.OpenIdConnectProvider
Pythonaws_cdk.aws_iam.OpenIdConnectProvider
TypeScript (source)aws-cdk-lib » aws_iam » OpenIdConnectProvider

Implements IConstruct, IDependable, IResource, IOpenIdConnectProvider

IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce.

You use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account. This is useful when creating a mobile app or web application that requires access to AWS resources, but you don't want to create custom sign-in code or manage your own user identities.

See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html

Example

const provider = new iam.OpenIdConnectProvider(this, 'MyProvider', {
  url: 'https://openid/connect',
  clientIds: [ 'myclient1', 'myclient2' ],
});

Initializer

new OpenIdConnectProvider(scope: Construct, id: string, props: OpenIdConnectProviderProps)

Parameters

  • scope Construct — The definition scope.
  • id string — Construct ID.
  • props OpenIdConnectProviderProps — Initialization properties.

Defines an OpenID Connect provider.

Construct Props

NameTypeDescription
urlstringThe URL of the identity provider.
clientIds?string[]A list of client IDs (also known as audiences).
thumbprints?string[]A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificates.

url

Type: string

The URL of the identity provider.

The URL must begin with https:// and should correspond to the iss claim in the provider's OpenID Connect ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com.

You cannot register the same provider multiple times in a single AWS account. If you try to submit a URL that has already been used for an OpenID Connect provider in the AWS account, you will get an error.


clientIds?

Type: string[] (optional, default: no clients are allowed)

A list of client IDs (also known as audiences).

When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.)

You can register multiple client IDs with the same provider. For example, you might have multiple applications that use the same OIDC provider. You cannot register more than 100 client IDs with a single IAM OIDC provider.

Client IDs are up to 255 characters long.


thumbprints?

Type: string[] (optional, default: If no thumbprints are specified (an empty array or undefined), the thumbprint of the root certificate authority will be obtained from the provider's server as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html)

A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificates.

Typically this list includes only one entry. However, IAM lets you have up to five thumbprints for an OIDC provider. This lets you maintain multiple thumbprints if the identity provider is rotating certificates.

The server certificate thumbprint is the hex-encoded SHA-1 hash value of the X.509 certificate used by the domain where the OpenID Connect provider makes its keys available. It is always a 40-character string.

You must provide at least one thumbprint when creating an IAM OIDC provider. For example, assume that the OIDC provider is server.example.com and the provider stores its keys at https://keys.server.example.com/openid-connect. In that case, the thumbprint string would be the hex-encoded SHA-1 hash value of the certificate used by https://keys.server.example.com.

Properties

NameTypeDescription
envResourceEnvironmentThe environment this resource belongs to.
nodeNodeThe tree node.
openIdConnectProviderArnstringThe Amazon Resource Name (ARN) of the IAM OpenID Connect provider.
openIdConnectProviderIssuerstringThe issuer for OIDC Provider.
openIdConnectProviderthumbprintsstringThe thumbprints configured for this provider.
stackStackThe stack in which this resource is defined.

env

Type: ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


node

Type: Node

The tree node.


openIdConnectProviderArn

Type: string

The Amazon Resource Name (ARN) of the IAM OpenID Connect provider.


openIdConnectProviderIssuer

Type: string

The issuer for OIDC Provider.


openIdConnectProviderthumbprints

Type: string

The thumbprints configured for this provider.


stack

Type: Stack

The stack in which this resource is defined.

Methods

NameDescription
applyRemovalPolicy(policy)Apply the given removal policy to this resource.
toString()Returns a string representation of this construct.
static fromOpenIdConnectProviderArn(scope, id, openIdConnectProviderArn)Imports an Open ID connect provider from an ARN.

applyRemovalPolicy(policy)

public applyRemovalPolicy(policy: RemovalPolicy): void

Parameters

  • policy RemovalPolicy

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.


static fromOpenIdConnectProviderArn(scope, id, openIdConnectProviderArn)

public static fromOpenIdConnectProviderArn(scope: Construct, id: string, openIdConnectProviderArn: string): IOpenIdConnectProvider

Parameters

  • scope Construct — The definition scope.
  • id string — ID of the construct.
  • openIdConnectProviderArn string — the ARN to import.

Returns

  • IOpenIdConnectProvider

Imports an Open ID connect provider from an ARN.