UNPKG

5.01 kBTypeScriptView Raw
1import { IResource, Resource } from '@aws-cdk/core';
2import { Construct } from 'constructs';
3/**
4 * Represents an IAM OpenID Connect provider.
5 *
6 */
7export interface IOpenIdConnectProvider extends IResource {
8 /**
9 * The Amazon Resource Name (ARN) of the IAM OpenID Connect provider.
10 */
11 readonly openIdConnectProviderArn: string;
12 /**
13 * The issuer for OIDC Provider
14 */
15 readonly openIdConnectProviderIssuer: string;
16}
17/**
18 * Initialization properties for `OpenIdConnectProvider`.
19 */
20export interface OpenIdConnectProviderProps {
21 /**
22 * The URL of the identity provider. The URL must begin with https:// and
23 * should correspond to the iss claim in the provider's OpenID Connect ID
24 * tokens. Per the OIDC standard, path components are allowed but query
25 * parameters are not. Typically the URL consists of only a hostname, like
26 * https://server.example.org or https://example.com.
27 *
28 * You cannot register the same provider multiple times in a single AWS
29 * account. If you try to submit a URL that has already been used for an
30 * OpenID Connect provider in the AWS account, you will get an error.
31 */
32 readonly url: string;
33 /**
34 * A list of client IDs (also known as audiences). When a mobile or web app
35 * registers with an OpenID Connect provider, they establish a value that
36 * identifies the application. (This is the value that's sent as the client_id
37 * parameter on OAuth requests.)
38 *
39 * You can register multiple client IDs with the same provider. For example,
40 * you might have multiple applications that use the same OIDC provider. You
41 * cannot register more than 100 client IDs with a single IAM OIDC provider.
42 *
43 * Client IDs are up to 255 characters long.
44 *
45 * @default - no clients are allowed
46 */
47 readonly clientIds?: string[];
48 /**
49 * A list of server certificate thumbprints for the OpenID Connect (OIDC)
50 * identity provider's server certificates.
51 *
52 * Typically this list includes only one entry. However, IAM lets you have up
53 * to five thumbprints for an OIDC provider. This lets you maintain multiple
54 * thumbprints if the identity provider is rotating certificates.
55 *
56 * The server certificate thumbprint is the hex-encoded SHA-1 hash value of
57 * the X.509 certificate used by the domain where the OpenID Connect provider
58 * makes its keys available. It is always a 40-character string.
59 *
60 * You must provide at least one thumbprint when creating an IAM OIDC
61 * provider. For example, assume that the OIDC provider is server.example.com
62 * and the provider stores its keys at
63 * https://keys.server.example.com/openid-connect. In that case, the
64 * thumbprint string would be the hex-encoded SHA-1 hash value of the
65 * certificate used by https://keys.server.example.com.
66 *
67 * @default - If no thumbprints are specified (an empty array or `undefined`),
68 * the thumbprint of the root certificate authority will be obtained from the
69 * provider's server as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
70 */
71 readonly thumbprints?: string[];
72}
73/**
74 * IAM OIDC identity providers are entities in IAM that describe an external
75 * identity provider (IdP) service that supports the OpenID Connect (OIDC)
76 * standard, such as Google or Salesforce. You use an IAM OIDC identity provider
77 * when you want to establish trust between an OIDC-compatible IdP and your AWS
78 * account. This is useful when creating a mobile app or web application that
79 * requires access to AWS resources, but you don't want to create custom sign-in
80 * code or manage your own user identities.
81 *
82 * @see http://openid.net/connect
83 * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
84 *
85 * @resource AWS::CloudFormation::CustomResource
86 */
87export declare class OpenIdConnectProvider extends Resource implements IOpenIdConnectProvider {
88 /**
89 * Imports an Open ID connect provider from an ARN.
90 * @param scope The definition scope
91 * @param id ID of the construct
92 * @param openIdConnectProviderArn the ARN to import
93 */
94 static fromOpenIdConnectProviderArn(scope: Construct, id: string, openIdConnectProviderArn: string): IOpenIdConnectProvider;
95 /**
96 * The Amazon Resource Name (ARN) of the IAM OpenID Connect provider.
97 */
98 readonly openIdConnectProviderArn: string;
99 readonly openIdConnectProviderIssuer: string;
100 /**
101 * The thumbprints configured for this provider.
102 */
103 readonly openIdConnectProviderthumbprints: string;
104 /**
105 * Defines an OpenID Connect provider.
106 * @param scope The definition scope
107 * @param id Construct ID
108 * @param props Initialization properties
109 */
110 constructor(scope: Construct, id: string, props: OpenIdConnectProviderProps);
111 private getOrCreateProvider;
112}