Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
I would like AWS to have a managed SPIRE service that integrates with compute services like EKS, ECS and Fargate. This would simplify the issuance and validation of SPIFFE identities for workloads and infrastructure, as well as enable mTLS across compute services, platforms and environments.
Which service(s) is this request for?
EKS, ECS, Fargate
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Most container workloads exist in larger architectures comprising different compute environments in the cloud and on-prem. Establishing secure communication between applications in such convoluted environments is hard without a standard approach to identity issuance and validation. SPIRE enables this by creating a zero-trust foundation for communication across complex environments. However, configuring, deploying and maintaining SPIRE components such as the SPIRE Server and Data Store introduces a new layer of management and complexity. In addition to this, there are number of activities in monitoring the SPIRE lifecycle events such as attestation attempts, identity requests, issuances, and rotations, as well as registrations and de-registrations. This operational overhead is time consuming and requires a lot of planning and plumbing to secure continuously changing and complex environments.
Are you currently working around this issue?
Self-management with internal platform teams and partnering with dedicated teams/consultants to run and manage SPIRE.
Additional contextNone at this time
Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)
Community Note
Tell us about your request I would like AWS to have a managed SPIRE service that integrates with compute services like EKS, ECS and Fargate. This would simplify the issuance and validation of SPIFFE identities for workloads and infrastructure, as well as enable mTLS across compute services, platforms and environments.
Which service(s) is this request for? EKS, ECS, Fargate
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Most container workloads exist in larger architectures comprising different compute environments in the cloud and on-prem. Establishing secure communication between applications in such convoluted environments is hard without a standard approach to identity issuance and validation. SPIRE enables this by creating a zero-trust foundation for communication across complex environments. However, configuring, deploying and maintaining SPIRE components such as the SPIRE Server and Data Store introduces a new layer of management and complexity. In addition to this, there are number of activities in monitoring the SPIRE lifecycle events such as attestation attempts, identity requests, issuances, and rotations, as well as registrations and de-registrations. This operational overhead is time consuming and requires a lot of planning and plumbing to secure continuously changing and complex environments.
Are you currently working around this issue? Self-management with internal platform teams and partnering with dedicated teams/consultants to run and manage SPIRE.
Additional context None at this time
Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)