Add support for AWS IAM Roles Anywhere to enable multi-cloud ephemeral runners #122
Description
Description:
Currently, Forge runners (EC2 and EKS/ARC) rely on IAM roles within a single AWS account. We want to expand support so runners can be deployed outside AWS (e.g., OpenStack, Azure, GCP) while still maintaining:
- A centralized Forge control plane in AWS
- Tenant-level isolation and security
- Trust relationships with other AWS accounts
By using [AWS IAM Roles Anywhere](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html), we can:
- Allow Forge to issue short-lived credentials for ephemeral runners outside AWS
- Keep control plane operations centralized in one AWS account per tenant
- Maintain existing security posture for deployments and cross-account trust
- Support a multi-cloud runner strategy (EC2, ARC/EKS, VMs on OpenStack, Azure, GCP) with a consistent deployment module similar to Philips Labs ephemeral instances
Acceptance Criteria:
- Runners (EC2, ARC/EKS, or VMs in other clouds) can authenticate using IAM Roles Anywhere.
- Central control plane in AWS continues to manage deployments, tenants, and trust relationships.
- Security and isolation per tenant are preserved.
- Deployment modules are updated or created to support ephemeral runners in multiple clouds with IAM Roles Anywhere.
- Documentation and examples for multi-cloud ephemeral runner deployment included.
References / Inspirations:
- Philips Labs ephemeral instances patterns for multi-cloud deployments
- Forge control plane architecture for centralized management and tenant isolation