Skip to content

v0.41.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 23 May 06:19
· 42 commits to main since this release
v0.41.0
d979221
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

New: Workload Identity for AWS and GCP Auth

Both aws_auth and gcp_auth now accept a credentials_provider block in place of static key material. Setting type: workload_identity delegates credential resolution to the respective cloud SDK default chain: IRSA, EKS Pod Identity, and IMDSv2 for AWS; GKE Workload Identity, GOOGLE_APPLICATION_CREDENTIALS, and Workload Identity Federation for GCP. The proxy holds the rotating pod credentials and the agent SDK runs with placeholder credentials, so real keys never reach the agent.

For gcp_auth, the subject field (domain-wide delegation) is rejected when credentials_provider is set, since metadata-server credentials cannot impersonate.

# AWS: workload identity (IRSA / Pod Identity / IMDSv2)
- name: aws_auth
  config:
    credentials_provider:
      type: workload_identity
      # region: us-east-1   # optional; overrides AWS_REGION discovery
    allowed_services: ["bedrock"]
    rules:
      - host: "*.amazonaws.com"

# GCP: workload identity (GKE Workload Identity / ADC)
- name: gcp_auth
  config:
    credentials_provider:
      type: workload_identity
    scopes:
      - "https://www.googleapis.com/auth/cloud-platform"
    rules:
      - host: "*.googleapis.com"

Changelog

  • c1c667e feat(auth): workload identity for aws_auth and gcp_auth (#138)
  • d979221 test(integration): integration tests for workload_identity provider (#139)
Assets 8
Loading