Have you ever drawn some wonderful tabular data on a piece of paper and thought, “Wouldn’t it be nice if I could run an SQL query on this”?

Have you ever wondered if the animals in George Orwell’s Animal Farm could have benefited from AWS to categorise which animals were good or bad using only serverless components?

If you answered yes to at least one of these questions, then have I got a story for you.

TLDR; Yes it can be done! Draw table -> Scan it -> Use Amazon Textract to convert to CSV -> Upload CSV to S3 -> Run a Glue crawler -> Query table using Athena -> Success. …

…and were they working fine yesterday?

Are you now getting the following error in your applications, “An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: OpenIDConnect provider’s HTTPS certificate doesn’t match configured thumbprint”?

If so, then it was likely misconfigured in the beginning, but we can fix this! So read on…

Why it suddenly stopped working

As the error suggests, the HTTPS certificate doesn’t match the configured thumbprint. Or at least it doesn’t match anymore because likely the certificate expired.

When configuring EKS IAM roles for service accounts (IRSA), one of the first steps is to create an OIDC Identity Provider in IAM which requires a CA thumbprint. If you do this through the AWS console, then AWS populates the CA thumbprint for you. …


Michael Kandelaars

Platform Engineer. Shoots for the sky, builds for the cloud

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store