CreateOpenIDConnectProviderInput should not require a thumbprint list (ThumbprintList)

[sevesalm]

CreateOpenIDConnectProviderInput currently requires a non-empty thumbprint list

https://docs.aws.amazon.com/sdk-for-go/api/service/iam/#CreateOpenIDConnectProviderInput

The same requirement is in the API:

https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html

You must provide at least one thumbprint when creating an IAM OIDC provider.

However, since July 6th AWS no longer requires these thumbprints (at least for GitHub) as was communicated by this message:

Starting July 6, 2023, AWS began securing communication with GitHub’s OIDC identity provider (IdP) using our library of trusted root Certificate Authorities instead of using a certificate thumbprint to verify the IdP’s server certificate. This approach ensures that your GitHub OIDC configuration behaves correctly without disruption during future certificate rotations and changes. With this new validation approach in place, your legacy thumbprint(s) will remain in your configuration but will no longer be needed for validation purposes.

So: this parameter should be optional.

[jmklix]

P95760549

[jmklix]

Thumbprints are now optional.

This parameter is optional. If it is not included, IAM will retrieve and use the top intermediate certificate authority (CA) thumbprint of the OpenID Connect identity provider server certificate.

[github-actions]

This issue is now closed.

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.