top | item 42551310

(no title)

A "correct" implementation would give you a temporary IAM role or something (STS) based on a JWT or other authn mechanism.

This is not that difficult if you're already invested in an identity ecosystem, but a right pain without something to bootstrap it.

On the plus side, AWS creds can be made to be temporary and limited in scope to just the nouns/verbs required. Creating and vending those tokens is an exercise for the reader.

discuss

420official|1 year ago

It really isn't that challenging to get going with JWT auth in AWS. Gitlab has pretty good documentation for how to use Gitlab ID tokens to assume roles that includes everything other than how to generate a JWT here: https://docs.gitlab.com/ee/ci/cloud_services/aws/

And of course generating OIDC PKI JWTs is pretty easy and well documented elsewhere.

The harder parts in my mind are:

  - Updating this OSS project to serve a JWK from OIDC .well-known
  - Convincing people that this method of authn is safe and that those keys are securely stored

rohitghumare|1 year ago

I completely Agree on this point. I have this in mind for implementation. For now, I'm focusing on bringing more cloud providers.