-
Notifications
You must be signed in to change notification settings - Fork 485
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce the aws_s3
BundlePublisher plugin
#4355
Changes from all commits
7c8b71f
b034f24
5a47907
fa3d2bf
eb75512
07423a0
3ade895
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -803,6 +803,32 @@ plugins { | |
# namespace = "sandbox" | ||
# } | ||
# } | ||
|
||
# BundlePublisher "aws_s3": A bundle publisher that puts the current trust | ||
# bundle of the server in a designated Amazon S3 bucket, keeping it updated. | ||
# BundlePublisher "aws_s3" { | ||
# plugin_data { | ||
# # region: AWS region to store the trust bundle. Default: "". | ||
# # region = "us-east-1" | ||
|
||
# # access_key_id: AWS access key id. Default: value of | ||
# # AWS_ACCESS_KEY_ID environment variable. | ||
# # access_key_id = "" | ||
|
||
# # secret_access_key: AWS secret access key. Default: value of | ||
# # AWS_SECRET_ACCESS_KEY environment variable. | ||
# # secret_access_key = "" | ||
|
||
# # bucket: The Amazon S3 bucket name to which the trust bundle is uploaded. Default: "". | ||
# # bucket = "spire-bundle-1" | ||
|
||
# # object_key: The object key inside the bucket. Default: "". | ||
# # object_key = "example.org" | ||
|
||
# # format: Format in which the trust bundle is stored, <spiffe | jwks | pem>. Default: "". | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What format is defaulted to when unset? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The plugin requires that a format is explicitly configured, so there is not a default format set. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do you think a default would make sense here, There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If we have a default, I would probably suggest to be the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
No, that's ok. I think this convinced me to be honest. |
||
# # format = "spiffe" | ||
# } | ||
# } | ||
} | ||
|
||
# telemetry: If telemetry is desired use this section to configure the | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
# Server plugin: BundlePublisher "aws_s3" | ||
|
||
The `aws_s3` plugin puts the current trust bundle of the server in a designated | ||
Amazon S3 bucket, keeping it updated. | ||
|
||
The plugin accepts the following configuration options: | ||
|
||
| Configuration | Description | Required | Default | | ||
|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|-----------------------------------------------------| | ||
| access_key_id | AWS access key id. | Required only if AWS_ACCESS_KEY_ID environment variable is not set. | Value of AWS_ACCESS_KEY_ID environment variable. | | ||
| secret_access_key | AWS secret access key. | Required only if AWS_SECRET_ACCESSKEY environment variable is not set. | Value of AWS_SECRET_ACCESSKEY environment variable. | | ||
| region | AWS region to store the trust bundle. | Yes. | | | ||
| bucket | The Amazon S3 bucket name to which the trust bundle is uploaded. | Yes. | | | ||
| object_key | The object key inside the bucket. | Yes. | | | ||
| format | Format in which the trust bundle is stored, <spiffe | jwks | pem>. See [Supported bundle formats](#supported-bundle-formats) for more details. | Yes. | | | ||
|
||
## Supported bundle formats | ||
|
||
The following bundle formats are supported: | ||
|
||
### SPIFFE format | ||
|
||
The trust bundle is represented as an RFC 7517 compliant JWK Set, with the specific parameters defined in the [SPIFFE Trust Domain and Bundle specification](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#4-spiffe-bundle-format). Both the JWT authorities and the X.509 authorities are included. | ||
|
||
### JWKS format | ||
|
||
The trust bundle is encoded as an RFC 7517 compliant JWK Set, omitting SPIFFE-specific parameters. Both the JWT authorities and the X.509 authorities are included. | ||
|
||
### PEM format | ||
|
||
The trust bundle is formatted using PEM encoding. Only the X.509 authorities are included. | ||
|
||
## AWS IAM Permissions | ||
|
||
The user or role identified by the configured credentials must have the `s3:PutObject` IAM permissions. | ||
|
||
## Sample configuration | ||
|
||
The following configuration uploads the local trust bundle contents to the `example.org` object in the `spire-trust-bundle` bucket. The AWS access key id and secret access key are obtained from the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESSKEY environment variables. | ||
|
||
```hcl | ||
BundlePublisher "aws_s3" { | ||
plugin_data { | ||
region = "us-east-1" | ||
bucket = "spire-trust-bundle" | ||
object_key = "example.org" | ||
format = "spiffe" | ||
} | ||
} | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in another examples we have region empty