RFC: Pipeline Identity Tokens #139
Conversation
dbaumgarten
force-pushed
the
feature/pipeline-identities
branch
from
47164fa to
41fe496
Compare
dbaumgarten
changed the title
|
Would likely recommend against making RSA the default, seems to be a trend of moving towards EC25519 since RS256 uses PKCS#1v1.5 which is the vector for the Bleichenbacher style of attack, not sure increasing the bit size avoids the issues exploited in this style of attack. But should likely be default only, if the implementer is confident they have a closed ecosystem they should be able to specify other signing protocols. |
|
I mainly thought of RS256 because I think it has the widest support out there. Not sure if RS256 is actually affected by Bleichenbacher attacks. From reading into it it seems to mostly affect encryption via RSA and I couldn't find a source that says RS256 is affected. |
| - aws sts assume-role-with-web-identity --d | ||
| --provider-id "<ARN of the Identity Provider of Step 1>" \ | ||
| --role-arn "<ARN of the role to be assumed>" \ | ||
| --web-identity-token (( idtoken )) |
There was a problem hiding this comment.
I have thought a little more about this part.
The simples and cleanest approach would probably be to implement this as a var_source.
So it would the look like this:
var_sources:
- name: idtoken
type: idtoken
config:
aud: ["some-audience", "some-other"]
ttl: 15m
This would allow pipeline-authors to influence the generated token (in a controlled manner).
They can for example choose for which audiences a token is itended or how long it should stay valid.
The drawback is, that (as of now) it would be impossible to include anything more specific then team+pipeline in the token (so no job, task etc.) as these information is currently unavailble to a credenital-provider.
Signed-off-by: Daniel Baumgarten <[email protected]>
dbaumgarten
force-pushed
the
feature/pipeline-identities
branch
from
d6250a7 to
61f7ef0
Compare
Pipelines should be able to fetch a signed token containing information about their idenity concourse/rfcs/pull/139 Signed-off-by: Daniel Baumgarten <[email protected]>
|
I came up with some code to showcase how this feature could work: concourse/concourse#9035 |
Pipelines should be able to fetch a signed token containing information about their idenity concourse/rfcs/pull/139 Signed-off-by: Daniel Baumgarten <[email protected]>
Signed-off-by: Daniel Baumgarten <[email protected]>
Signed-off-by: Daniel Baumgarten <[email protected]>
dbaumgarten
force-pushed
the
feature/pipeline-identities
branch
from
0d8c9f9 to
d861d67
Compare
Rendered