The cloud landscape is ever-evolving, with providers like AWS constantly updating their infrastructure to stay ahead of the curve. However, this rapid pace of innovation can sometimes lead to unforeseen challenges for developers relying on third-party tools integrated with these platforms. One such instance is the unexpected impact of GitLab’s TLS certificate update on AWS users utilizing GitLab’s OpenID Connect (OIDC) for authentication.

The Unforeseen Impact of GitLab’s TLS Certificate Update

In a routine security enhancement, GitLab updated its TLS certificate. While this is standard practice for ensuring secure connections, it unexpectedly caused issues for AWS users who had integrated GitLab’s OIDC with their cloud infrastructure. AWS OIDC authentication relies on verifying the TLS certificate thumbprint to establish trust between the identity provider (GitLab) and the consumer (AWS). When GitLab updated its certificate, the thumbprint changed. AWS users were caught off guard as their authentication processes began to fail, disrupting CI/CD pipelines and other automated processes.

Initial Challenges Faced by AWS Users Utilizing GitLab’s OIDC

The sudden change in thumbprint meant that AWS users had to manually update their AWS OIDC configurations to reflect the new thumbprint. This was not only time-consuming but also prone to human error. For enterprises with multiple accounts and regions, the scale of the task became overwhelming, causing significant downtime and operational challenges.

Crafting a Solution: The Lambda Function Approach

With these challenges, developers quickly realized that a custom solution was necessary to automate updating the OIDC certificate thumbprint. The idea was to create an AWS Lambda function that would periodically check GitLab’s TLS certificate thumbprint and update the AWS OIDC configuration automatically, thus minimizing downtime and reducing the risk of human error.

Developing an AWS Lambda Function to Automate OIDC Certificate Thumbprint Updates

The AWS Lambda function was designed to perform the following tasks:

  1. Fetch the Current Thumbprint: The function would fetch the latest TLS certificate from GitLab’s OIDC endpoint and extract the thumbprint.
  2. Compare with Existing Thumbprint: The fetched thumbprint will then be compared with the existing one configured in AWS.
  3. Update if Necessary: If the thumbprints do not match, the function will update the AWS OIDC configuration with the new thumbprint.

Technical Dive: Inside the Lambda Function

The Lambda function was built using Python, leveraging the boto3 library for AWS API interactions. Here’s a breakdown of the core components:

  1. Fetching the Thumbprint: The script utilized the requests library to pull the certificate from GitLab’s OIDC endpoint. Converting the certificate to a SHA-256 hash derived the thumbprint.
  2. AWS OIDC Configuration Update: Using boto3, the script accessed the AWS IAM service and updated the thumbprint for the specified OIDC provider.
  3. Error Handling and Logging: The function included robust error handling to manage network issues, unauthorized access, or incorrect configurations, ensuring that any failure could be quickly diagnosed and addressed.

Deployment and Automation with AWS CDK

To streamline deployment and ensure consistent execution, the AWS Cloud Development Kit (CDK) was utilized. AWS CDK allowed developers to define the Lambda function, its associated roles, and scheduled events (via Amazon CloudWatch Events) in code, enabling version-controlled infrastructure as code (IaC) deployments. This approach made it easy to deploy the Lambda function across multiple environments and ensure it ran regularly without manual intervention.

Leveraging AWS CDK for Efficient Deployment and Scheduled Execution of the Lambda Function

With AWS CDK, deploying the Lambda function became a breeze. Developers could define the infrastructure in a high-level language like TypeScript or Python, making it more readable and easier to maintain. The CDK constructs handled the complexities of IAM roles, permissions, and event scheduling, allowing the team to focus on the function’s logic.

The Twist: AWS’s Proactive Adaptation

As the custom solution was deployed and tested, AWS announced an update that would automatically handle OIDC thumbprint changes for approved identity providers like GitLab. This proactive adaptation by AWS rendered the custom Lambda solution redundant almost overnight. While this update was a welcome relief, it highlighted a common challenge in cloud development: the rapid pace of platform evolution can quickly outdate even the most innovative custom solutions.

Reflecting on the Nature of Cloud Development

This experience serves as a valuable lesson in cloud development. While building custom solutions is often necessary to address immediate challenges, staying informed about the provider’s roadmap and upcoming features is essential. The cloud environment is dynamic, and what’s relevant today might be obsolete tomorrow.

The Irony of Innovation: Balancing Custom Solutions with Cloud Provider Advancements

The irony of this situation lies in the tension between innovation and obsolescence. On one hand, developers must innovate to solve problems cloud providers haven’t yet addressed. On the other hand, these solutions may become redundant as providers continuously enhance their platforms. The key takeaway is that while custom solutions are vital, they should be built with the understanding that they may have a limited lifespan.

Conclusion

In a world where cloud platforms are rapidly evolving, being agile and adaptable is crucial. While custom solutions significantly bridge gaps, staying aligned with the provider’s updates ensures that efforts are not wasted. The journey of overcoming AWS’s rapid evolution with a custom solution, only to have it rendered unnecessary by a provider update, underscores the dynamic nature of cloud development.

References

Accelerate your cloud journey with AWS

AWS Support Customer Testimonials