Must be used in conjunction with the aws_iid node attestor plugin
The aws_iid resolver plugin resolves AWS IID-based SPIFFE ID's into a set
of selectors.
| Selector | Example | Description |
|---|---|---|
| Instance Tag | tag:name:blog |
The key (e.g. name) and value (e.g. blog) of an instance tag |
| Security Group ID | sg:id:sg-01234567 |
The id of the security group the instance belongs to |
| Security Group Name | sg:name:blog |
The name of the security group the instance belongs to |
| IAM role | arn:aws:iam::123456789012:instance-profile/Blog |
An IAM role within the instance profile for the instance |
All of the selectors have the type aws_iid.
| Configuration | Description | Default |
|---|---|---|
access_key_id |
AWS access key id | Value of AWS_ACCESS_KEY_ID environment variable |
secret_access_key |
AWS secret access key | Value of AWS_SECRET_ACCESS_KEY environment variable |
The user or role identified by the credentials must have permissions for
ec2:DescribeInstances and iam:GetInstanceProfile.
For more information on security credentials, see https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html.
A sample configuration:
NodeResolver "aws_iid" {
enabled = true
plugin_data {
access_key_id = "ACCESS_KEY_ID"
secret_access_key = "SECRET_ACCESS_KEY"
}
}