Skip to content

[DPE-1521] Add IAM permission to update OIDC provider thumbprints #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
BryanFauble merged 3 commits into from
Dec 17, 2025
Merged

[DPE-1521] Add IAM permission to update OIDC provider thumbprints #76

BryanFauble merged 3 commits into from
Dec 17, 2025

Conversation

@linglp
Copy link
Contributor

@linglp linglp commented Dec 17, 2025

Problem:

Spacelift authenticates to AWS using OIDC, which allows Spacelift to assume the spacelift-admin-role and deploy resources for us on AWS. When I tried to deploy resources to our staging environment, I encountered the error:

module.sage-aws-eks.module.eks.aws_eks_addon.this["vpc-cni"]: Modifications complete after 35s [id=dpe-k8-staging:vpc-cni]
╷
│ Error: updating IAM OIDC Provider (arn:aws:iam::766808016710:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/A6862702CE6F43346EADA1179CD48D27) thumbprint: operation error IAM: UpdateOpenIDConnectProviderThumbprint, https response error StatusCode: 403, RequestID: 118e0b53-3561-4247-a6ca-d8ccb5cd3c07, api error AccessDenied: User: arn:aws:sts::766808016710:assumed-role/spacelift-admin-role/01KCPPZY8HK2A7TXPMYAJT8F8A@dpe-staging-kubernetes-infrastructure is not authorized to perform: iam:UpdateOpenIDConnectProviderThumbprint on resource: arn:aws:iam::766808016710:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/A6862702CE6F43346EADA1179CD48D27 because no identity-based policy allows the iam:UpdateOpenIDConnectProviderThumbprint action
│ 
│   with module.sage-aws-eks.module.eks.aws_iam_openid_connect_provider.oidc_provider[0],
│   on .terraform/modules/sage-aws-eks.eks/main.tf line 419, in resource "aws_iam_openid_connect_provider" "oidc_provider":
│  419: resource "aws_iam_openid_connect_provider" "oidc_provider" {
│ 
╵

This shows that spacelift-admin-role lacks the iam:UpdateOpenIDConnectProviderThumbprint permission, which is needed to update the list of server certificate thumbprints associated with an OpenID Connect (OIDC) provider resource.

Solution

Add IAM action: iam:UpdateOpenIDConnectProviderThumbprint

@linglp linglp requested a review from a team as a code owner December 17, 2025 20:18
@linglp linglp changed the title [DPE-1521] Add IAM policy [DPE-1521] Add IAM permission to update OIDC provider thumbprints Dec 17, 2025
@linglp linglp requested a review from BryanFauble December 17, 2025 20:21
BryanFauble
BryanFauble reviewed Dec 17, 2025
View reviewed changes
BryanFauble
BryanFauble reviewed Dec 17, 2025
View reviewed changes
BryanFauble
BryanFauble approved these changes Dec 17, 2025
View reviewed changes
Copy link
Contributor

@BryanFauble BryanFauble left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified changes and added them to the IAM Policy

@BryanFauble BryanFauble merged commit 983d35d into main Dec 17, 2025
3 checks passed
@BryanFauble BryanFauble deleted the dpe-1521-update-readme branch December 17, 2025 23:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BryanFauble BryanFauble BryanFauble approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@linglp @BryanFauble