Skip to content

Error in IAM UpdateOpenIDConnectProviderThumbprint #2450

New issue
New issue
Closed
aws-controllers-k8s/iam-controller
#160
Closed
Error in IAM UpdateOpenIDConnectProviderThumbprint#2450
aws-controllers-k8s/iam-controller
#160
Assignees
knottnt
Labels
kind/bugCategorizes issue or PR as related to a bug.service/iamIndicates issues or PRs that are related to iam-controller.
@BrianKopp

Description

@BrianKopp
BrianKopp
opened on May 1, 2025

Describe the bug
Error Updating OpenIDConnectProvider if spec.thumbprint is empty. The ACK IAM controller is detecting some state change in the thumbprint, and deciding that the desired state has changed.

Steps to reproduce
Create an OpenIDConnectProvider without any thumbprints array. E.g.

spec:
  clientIDs:
  - sts.amazonaws.com
  url: https://<some-bucket>.s3.amazonaws.com

Expected outcome
Since the OpenIDConnectProvider was created just fine, I don't know why it wants to run this UpdateOpenIDConnectProviderThumbprint command. Shouldn't this be a noop?

The only place I see this command in the code (maybe I'm not looking in the correct place) is in pkg/resource/open_id_connect_provider/hooks.go at customUpdateOpenIDConnectProvider here.

Looking at the resource in AWS, I DO see a Thumbprint in the list, even though we didn't specify a thumbprint when we created the resource. AWS populated this automatically. So when the ACK sees a diff in the deployed resource and the spec in k8s, it wants to update the thumbprint, but there's no thumbprint list, so it throws this error.

Environment

  • Kubernetes version - 1.32
  • Using EKS (yes/no), if so version? - Yes - eks.6
  • AWS service targeted (S3, RDS, etc.) - IAM
  • ACK IAM version - 1.3.19
{
  "level": "info",
  "ts": "2025-05-01T17:31:34.640Z",
  "logger": "ackrt",
  "msg": "desired resource state has changed",
  "kind": "OpenIDConnectProvider",
  "namespace": "<namespace>",
  "name": "<resource-name>",
  "account": "<account-id>",
  "role": "",
  "region": "us-west-2",
  "is_adopted": false,
  "generation": 1,
  "diff": [
    {
      "Path": {
        "Parts": [
          "Spec",
          "Thumbprints"
        ]
      },
      "A": null,
      "B": [
        "<some-thumbprint>"
      ]
    }
  ]
}
{
  "level": "error",
  "ts": "2025-05-01T17:31:34.651Z",
  "msg": "Reconciler error",
  "controller": "openidconnectprovider",
  "controllerGroup": "iam.services.k8s.aws",
  "controllerKind": "OpenIDConnectProvider",
  "OpenIDConnectProvider": {
    "name": "<resource-name>",
    "namespace": "<namespace>"
  },
  "namespace": "<namespace>",
  "name": "<resource-name>",
  "reconcileID": "c58e518f-5185-48e6-a507-8fcb31ef853a",
  "error": "operation error IAM: UpdateOpenIDConnectProviderThumbprint, 1 validation error(s) found.\n- missing required field, UpdateOpenIDConnectProviderThumbprintInput.ThumbprintList.\n",
  "stacktrace": "sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:255"
}

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.service/iamIndicates issues or PRs that are related to iam-controller.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions