-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support IAM role based login to AWS connectors #7496
Comments
In New additionspublic type IAMRoleBasedAuthConfig {|
boolean useIMDSv2 = true;
|}; Rename
|
@ayeshLK Are we allowing the user to set false for |
If it is only a flag to enable Option 01: const EC2_IAM_ROLE = "EC2_IAM_ROLE";
public type StaticAuthConfig record {|
string accessKeyId;
string secretAccessKey;
string sessionToken?;
|};
public type ConnectionConfig record {|
StaticAuthConfig|EC2_IAM_ROLE auth;
|}; Option 02: const EC2_IAM_ROLE = "EC2_IAM_ROLE";
const STATIC_AUTH = "STATIC_AUTH";
public type StaticAuthConfig record {|
string accessKeyId;
string secretAccessKey;
string sessionToken?;
|};
public type ConnectionConfig record {|
EC2_IAM_ROLE|STATIC_AUTH credentialProvider = STATIC_AUTH;
StaticAuthConfig auth?;
|}; Option 02 needs additional validation. |
There are two versions of IMDS (v1 and v2) and as per AWS documentation [1] v2 is more secure and they are recommending to use it. But v1 options is also there, and it is enabled by default in the SDK. And as per the documentation, you can enable and disable it using multiple options, like environment variable, JVM system property, or else a configuration file. Hence, having a programatic configuration is optional. |
If we do not need the option to set the IMDS version programmatically, I would prefer using |
As per the doc, the Java SDK first tries IMDSv2 to get the IAM role, but if that fails, it tries IMDSv1. We still have an option to disable trying IMDSv1 with other possibilities like env or system property, IMO we don't want to have it configured. WDYT? |
+1 |
Current Limitation
Current AWS connectors only support authentication via the accessKeyId and secretAccessKey.
Suggested Improvement
Support IAM role-based login for AWS Connectors.
https://docs.workato.com/security/data-protection/secrets-management/iam-role-based-authentication-for-aws.html#retrieve-iam-role-arn
Version
No response
The text was updated successfully, but these errors were encountered: