Skip to content

Support authenticating to AWS using JWT SVIDs and AssumeRoleWIthWebIdentity #3

New issue
New issue
Open
Open
Support authenticating to AWS using JWT SVIDs and AssumeRoleWIthWebIdentity#3
Labels
enhancementNew feature or request
@strideynet

Description

@strideynet
strideynet
opened on Nov 8, 2024

Today, you can use JWT SVIDs to authenticate to AWS using OIDC federation. However, this has a key limitation, the JWT must be written to the filesystem where it can be read by the AWS SDK, and then it's location must be provided via the AWS_WEB_IDENTITY_TOKEN_FILE environment variable or web_identity_token_file configuration option.

I suggest that we add a new subcommand which:

  • Fetches a JWT SVID from the Workload API
  • Exchanges this for an AWS access/secret token using AssumeRoleWIthWebIdentity
  • Returns this to STDOUT in the format accepted by the AWS CLI and SDK for a credential process.

This has the following advantages over the existing flow:

  • JWT SVID is not written to the filesystem
  • JWT SVID can be generated just-in-time when the AWS SDK needs to generate credentials, rather than unnecessarily re-written to disk.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions