OpenIdConnectProvider
- class aws_cdk.aws_iam.OpenIdConnectProvider(scope, id, *, url, client_ids=None, thumbprints=None)
Bases:
Resource
IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce.
You use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account. This is useful when creating a mobile app or web application that requires access to AWS resources, but you don’t want to create custom sign-in code or manage your own user identities.
- See:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
- Resource:
AWS::CloudFormation::CustomResource
- ExampleMetadata:
infused
Example:
provider = iam.OpenIdConnectProvider(self, "MyProvider", url="https://openid/connect", client_ids=["myclient1", "myclient2"] )
Defines an OpenID Connect provider.
- Parameters:
scope (
Construct
) – The definition scope.id (
str
) – Construct ID.url (
str
) – The URL of the identity provider. The URL must begin with https:// and should correspond to the iss claim in the provider’s OpenID Connect ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com. You cannot register the same provider multiple times in a single AWS account. If you try to submit a URL that has already been used for an OpenID Connect provider in the AWS account, you will get an error.client_ids (
Optional
[Sequence
[str
]]) – A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that’s sent as the client_id parameter on OAuth requests.) You can register multiple client IDs with the same provider. For example, you might have multiple applications that use the same OIDC provider. You cannot register more than 100 client IDs with a single IAM OIDC provider. Client IDs are up to 255 characters long. Default: - no clients are allowedthumbprints (
Optional
[Sequence
[str
]]) – A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider’s server certificates. Typically this list includes only one entry. However, IAM lets you have up to five thumbprints for an OIDC provider. This lets you maintain multiple thumbprints if the identity provider is rotating certificates. The server certificate thumbprint is the hex-encoded SHA-1 hash value of the X.509 certificate used by the domain where the OpenID Connect provider makes its keys available. It is always a 40-character string. You must provide at least one thumbprint when creating an IAM OIDC provider. For example, assume that the OIDC provider is server.example.com and the provider stores its keys at https://keys.server.example.com/openid-connect. In that case, the thumbprint string would be the hex-encoded SHA-1 hash value of the certificate used by https://keys.server.example.com. Default: - If no thumbprints are specified (an empty array orundefined
), the thumbprint of the root certificate authority will be obtained from the provider’s server as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
Methods
- apply_removal_policy(policy)
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.
The resource can be deleted (
RemovalPolicy.DESTROY
), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN
).- Parameters:
policy (
RemovalPolicy
)- Return type:
None
- to_string()
Returns a string representation of this construct.
- Return type:
str
Attributes
- env
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
- node
The construct tree node associated with this construct.
- open_id_connect_provider_arn
The Amazon Resource Name (ARN) of the IAM OpenID Connect provider.
- open_id_connect_provider_issuer
The issuer for OIDC Provider.
- open_id_connect_providerthumbprints
The thumbprints configured for this provider.
- stack
The stack in which this resource is defined.
Static Methods
- classmethod from_open_id_connect_provider_arn(scope, id, open_id_connect_provider_arn)
Imports an Open ID connect provider from an ARN.
- Parameters:
scope (
Construct
) – The definition scope.id (
str
) – ID of the construct.open_id_connect_provider_arn (
str
) – the ARN to import.
- Return type:
- classmethod is_construct(x)
Return whether the given object is a Construct.
- Parameters:
x (
Any
)- Return type:
bool
- classmethod is_resource(construct)
Check whether the given construct is a Resource.
- Parameters:
construct (
IConstruct
)- Return type:
bool