-
Notifications
You must be signed in to change notification settings - Fork 582
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add AWS instance identity authentication #570
Conversation
This allows zero-trust authentication for all AWS instances. Prior to this, AWS instances could be used by passing `CODER_TOKEN` as an environment variable to the startup script. AWS explicitly states that secrets should not be passed in startup scripts because it's user-readable.
@bpmct once this lands, we can remove |
Codecov Report
@@ Coverage Diff @@
## main #570 +/- ##
==========================================
+ Coverage 63.43% 63.73% +0.30%
==========================================
Files 195 196 +1
Lines 11321 11514 +193
Branches 85 85
==========================================
+ Hits 7181 7338 +157
- Misses 3380 3399 +19
- Partials 760 777 +17
Continue to review full report at Codecov.
|
const ( | ||
Other Region = "other" | ||
HongKong Region = "hongkong" | ||
Bahrain Region = "bahrain" | ||
CapeTown Region = "capetown" | ||
Milan Region = "milan" | ||
China Region = "china" | ||
GovCloud Region = "govcloud" | ||
) | ||
|
||
var ( | ||
All = []Region{Other, HongKong, Bahrain, CapeTown, Milan, China, GovCloud} | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These variable names should probably be prefixed with Region
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It felt unnecessarily verbose due to the small scope of the package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I posted some nits. Nothing that will block a merge.
I am missing context on what this is actually used for though. It's only used for testing? We test in AWS and GCP?
This allows zero-trust authentication for all AWS instances.
Prior to this, AWS instances could be used by passing
CODER_TOKEN
as an environment variable to the startup script. AWS explicitly
states that secrets should not be passed in startup scripts because
it's user-readable.