Closed IvMdlc closed 1 year ago
Hi @IvMdlc, we just merged a change last week that we believe addresses this (#4124). Can you see if you still have problems with the latest code on the main branch?
Hi @azdagron Thanks, I've had a look at the changes in #4124 and see that you raised two points that we have some concers about:
1- Provide the cert(s) by operator via override. 2- Cert expiration in June 2024.
We feel that we could achive a seamless transition when AWS rotates the certificate if we had the ability to pass the certs: aws_iid uses the current one for signature verification and, whenever AWS publishes the new cert (well in advance, we hope) in their documention (this is just awful, but...), the operator can go ahead and add it along the current one. aws_iid would need to try both.
These are just our two cents on this issue anyway :)
I think the key takeaway from #4124 is that SPIRE will now use the RSA 2048 signature for verification by default. The RSA 2048 signing certificates expire in 2195. The RSA 1024 signature is still sent by agents and is used only when the RSA 2048 signature is not present (this is for backcompat).
From that perspective, we didn't feel that we needed to provide a way to override. Is there something we're missing?
Right, missed that. We'll try it once it's released.
Awesome, we appreciate it :) We'll close this for now. If something comes up, please let us know!
Harcoded AWS CA certificate prevents successful attestation from multiple AWS regions due to failed signature verification.
takes a key from hardcoded certificate
https://github.com/spiffe/spire/blob/main/pkg/server/plugin/nodeattestor/awsiid/iid.go#L138
https://github.com/spiffe/spire/blob/main/pkg/server/plugin/nodeattestor/awsiid/awsca.go
which is valid on a number of regions, but not on
See point 4 in
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html
Also note its expiry
which is something to consider.