feat: add AWS IAM identity verification auth method#8
Draft
alukach wants to merge 2 commits intorefactor/new-architecturefrom
Draft
feat: add AWS IAM identity verification auth method#8alukach wants to merge 2 commits intorefactor/new-architecturefrom
alukach wants to merge 2 commits intorefactor/new-architecturefrom
Conversation
Allow AWS services (Lambda, EC2, ECS) to authenticate with the proxy using their existing IAM credentials via AssumeRoleWithAWSIdentity, without needing an OIDC provider or long-lived secrets. The flow follows HashiCorp Vault's aws auth pattern: the client signs a GetCallerIdentity request, sends the signed headers to the proxy as base64-encoded query parameters, and the proxy forwards them to AWS STS for cryptographic identity verification. The verified ARN is then checked against the role's trusted_aws_accounts and subject_conditions before minting temporary credentials via the existing pipeline. Changes: - Add trusted_aws_accounts field to RoleConfig - Relax validation: roles need OIDC issuers OR AWS accounts - New aws_identity module: STS URL validation, request forwarding, GetCallerIdentity XML parsing - Wire AssumeRoleWithAWSIdentity into try_handle_sts() - Expose JwksCache HTTP client for reuse - Add docs/auth/aws-iam-auth.md with flow diagrams and Python examples https://claude.ai/code/session_01DeybF37mu27EMVd4kR57Xh
|
🚀 Latest commit deployed to https://multistore-proxy-pr-8.alukach.workers.dev
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
AssumeRoleWithAWSIdentitySTS action, allowing AWS services (Lambda, EC2, ECS) to authenticate with the proxy using their existing IAM credentials — no OIDC provider or long-lived secrets neededGetCallerIdentityrequest, sends the signed headers to the proxy as base64-encoded query params, and the proxy forwards them to AWS STS for cryptographic identity verificationtrusted_aws_accountsandsubject_conditions, then temporary credentials are minted via the existing pipelineChanges
crates/core/src/types.rs— Addtrusted_aws_accountstoRoleConfigcrates/core/src/config/static_file.rs— Relax validation: roles need OIDC issuers OR AWS accounts (3 new tests)crates/sts/src/aws_identity.rs(new) — STS URL allowlist validation, GetCallerIdentity XML parsing, request forwarding (12 new tests)crates/sts/src/lib.rs— Addassume_role_with_aws_identity(), updatetry_handle_sts()for both auth flowscrates/sts/src/route_handler.rs— Pass HTTP client through to handlercrates/sts/src/jwks.rs— Addhttp_client()accessor on JwksCachedocs/auth/aws-iam-auth.md(new) — Full docs with sequence diagrams, config examples, Python client exampledocs/auth/proxy-auth.md— Updated auth modes tableTest plan
cargo buildsucceedscargo test— all 111 tests pass (15 new tests)