You must provide at least one thumbprint when creating an IAM OIDC provider.
However, since July 6th AWS no longer requires these thumbprints (at least for GitHub) as was communicated by this message:
Starting July 6, 2023, AWS began securing communication with GitHub’s OIDC identity provider (IdP) using our library of trusted root Certificate Authorities instead of using a certificate thumbprint to verify the IdP’s server certificate. This approach ensures that your GitHub OIDC configuration behaves correctly without disruption during future certificate rotations and changes. With this new validation approach in place, your legacy thumbprint(s) will remain in your configuration but will no longer be needed for validation purposes.
jmklix
commented
11 months ago
CreateOpenIDConnectProviderInputcurrently requires a non-empty thumbprint listhttps://docs.aws.amazon.com/sdk-for-go/api/service/iam/#CreateOpenIDConnectProviderInput
The same requirement is in the API:
https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html
However, since July 6th AWS no longer requires these thumbprints (at least for GitHub) as was communicated by this message:
So: this parameter should be optional.