feat(gateway): add AWS authentication#202
Merged
saifsmailbox98 merged 7 commits intomainfrom May 5, 2026
Merged
Conversation
Adds --enroll-method=aws to "infisical gateway start" and "infisical gateway systemd install". The daemon authenticates by signing an sts:GetCallerIdentity request with the host's AWS credentials (instance role / env vars / profile) and exchanging it for a GATEWAY_ACCESS_TOKEN via POST /v1/resource-aws-auth/gateways/login. - Re-authenticates fresh on every daemon start (no JWT persisted to disk), so the AWS IAM identity itself is the durable credential - New --gateway-id flag (required for AWS auth) — gatewayId, domain and name are persisted to the systemd env file so subsequent restarts don't need the flag - InstallAwsAuthGatewaySystemdService writes a systemd unit that does not contain a JWT; the daemon re-logs in on every service start
Backend renamed the AWS auth login URL from /v1/resource-aws-auth/gateways/login to /v3/gateways/login as part of the auth-method redesign — the new endpoint is method-aware and accepts a discriminated body (method: "aws" | "token"). Update CLI to match. Also consolidates EnrollMethodAws / EnrollMethodToken constants into constants.go (previously split between aws_auth.go and enroll.go).
Previously set Content-Type after signer.SignHTTP, which would break the signature if a future AWS SDK release started including Content-Type in SignedHeaders — the backend forwards the signed request to STS and would get SignatureDoesNotMatch. Set it on req.Header before signing instead, and forward every signed header verbatim from req.Header rather than overriding Host/Content-Length manually. Also drops the redundant manual X-Amz-Date Add (signer sets it from the signing time argument) and names the timestamp explicitly so the header and signature derive from the same value.
LoginGatewayWithAws used context.TODO() in the SigV4 signing call, so a shutdown signal during startup couldn't cancel the outbound STS verification cleanly. Take ctx as a parameter, pass it to signer.SignHTTP, and have the caller in cmd/gateway.go pass cmd.Context() through.
- systemd.go: InstallAwsAuthGatewaySystemdService doc said "the EC2 instance's IAM role." AWS auth resolves credentials from the standard chain — instance role, env vars, or shared profile — not just EC2 instance metadata. Match the wording with the start-command dialog the operator sees. - cmd/gateway.go: drop the 3-line comment that restated what LoginGatewayWithAws's own doc block already explains.
|
💬 Discussion in Slack: #pr-review-cli-202-feat-gateway-add-aws-authentication Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e84a296653
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
String-formatting `https://sts.%s.amazonaws.com/` only works for the commercial AWS partition — GovCloud and China regions need the SDK's endpoint resolver to pick the right host suffix (`.amazonaws.com.cn` for China). Switched both the request URL and the signed Host header to `sts.NewDefaultEndpointResolverV2`. service/sts moves from indirect to direct in go.mod.
Reverts the partition-aware SDK resolver in favour of the same
fmt.Sprintf("https://sts.%s.amazonaws.com/") pattern used by the
Go SDK's identity-aws-auth path. China partition support can be
added across both paths together in a follow-up.
bernie-g
approved these changes
May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description 📣
Adds --enroll-method=aws. Gateway signs an STS GetCallerIdentity request locally and exchanges it for an access token
Type ✨
Tests 🛠️
# Here's some code block to paste some code snippets