Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support authenticating to AWS using JWT SVIDs and AssumeRoleWIthWebIdentity #3

Open
strideynet opened this issue Nov 8, 2024 · 0 comments
Open

Support authenticating to AWS using JWT SVIDs and AssumeRoleWIthWebIdentity #3

strideynet opened this issue Nov 8, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@strideynet
Copy link
Collaborator

Today, you can use JWT SVIDs to authenticate to AWS using OIDC federation. However, this has a key limitation, the JWT must be written to the filesystem where it can be read by the AWS SDK, and then it's location must be provided via the AWS_WEB_IDENTITY_TOKEN_FILE environment variable or web_identity_token_file configuration option.

I suggest that we add a new subcommand which:

  • Fetches a JWT SVID from the Workload API
  • Exchanges this for an AWS access/secret token using AssumeRoleWIthWebIdentity
  • Returns this to STDOUT in the format accepted by the AWS CLI and SDK for a credential process.

This has the following advantages over the existing flow:

  • JWT SVID is not written to the filesystem
  • JWT SVID can be generated just-in-time when the AWS SDK needs to generate credentials, rather than unnecessarily re-written to disk.
@strideynet strideynet added the enhancement New feature or request label Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@strideynet