is it possible to use workload identity feature to use AWS services ?

chainguard-dev / cosign-ecs-verify

Lambda function for verifying signed images in ECS

Apache License 2.0

33 stars 7 forks source link

is it possible to use workload identity feature to use AWS services ? #11

Open developer-guy opened 2 years ago

developer-guy commented 2 years ago

Feature request

I saw that this project retrieved the public key from the AWS KMS system (IIUC)^1. To do so, it used ecrHelper (IIUC handles authentication), so, what am I asking is that, instead of using this one, could we use the AWS workload identity feature to accomplish the same thing, thanks in advance.

Use case

dlorenc commented 2 years ago

cc @mattmoor @imjasonh I think that should work!

imjasonh commented 2 years ago

ecrHelper is intended to use workload identity if it's available. If it doesn't, that's a bug, let me know.

The public key pulled from KMS isn't used to auth to the registry, it's only used in cosign.CheckOpts:

https://github.com/chainguard-dev/cosign-ecs-verify/blob/6a2f1cab5273be3952b8194dff26070d7af26e9c/cosign-ecs-function/cosign.go#L43