Introduce a new aws_iid configuration option 'disable_instance_profile_selectors'#2119
Conversation
…file_selectors'. This is needed when spire-server is running in a secure area with no public internet access. If an attesting node has an iam instance profile policy attached and there is no public internet access, spire-server fails to attest the nodes because it cannot reach the aws iam endpoint - iam.amazonaws.com. Setting use_instance_profile_selectors = false, disables the api call to the iam endpoint allowing nodes to attest. Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
kgtw
requested review from
APTy,
amartinezfayo,
azdagron,
evan2645 and
rturner3
as code owners
…kwards functionality. Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
kgtw
force-pushed
the
instance-profile-option
branch
from
82bfb9f to
15fc9cb
Compare
kgtw
changed the title
…onfig option Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
|
Thanks for opening this @kgtw.
If the goal here is for the AWS IID attestor to function without Internet, I don't think this PR is going to achieve that successfully. Consulting AWS for the instance profile for selectors but one place where we consult the AWS APIs. I would suggest the following:
|
|
@azdagron I believe this is only a problem for the iam API endpoint specifically, as it's a global endpoint. The EC2 API endpoint is regional, so doesn't require public Internet access to reach it. |
|
🤦♂️ Thanks for that insight, @JonathanO. Re-reviews... |
|
@kgtw , @JonathanO, what would your thoughts be on rename of the configurable to something like |
E.g. "Using this plugin without internet access" section, which then captures the necessary configuration. |
…tance_profile_selectors configuration option Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
| ``` | ||
|
|
||
| ## Disabling Instance Profile Selectors | ||
| In cases where spire-server is running in a location with no public internet access available, setting `disable_instance_profile_selectors = true` will prevent the server from making requests to `iam.amazonaws.com`. This is needed as spire-server will fail to start. |
There was a problem hiding this comment.
This is needed as spire-server will fail to start.
I could see it failing agent attestation, but how does it cause the server to not start?
There was a problem hiding this comment.
Ah yes, you're right. Let me fix the wording of that.
Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
4 participants
Pull Request check list
Affected functionality
Setting
disable_instance_profile_selectors = truemeans that iam instance profile information isn't available in selectors.Description of change
This is needed when spire-server is running in a secure area with no public internet access.
If an attesting node has an iam instance profile policy attached and there is no public internet access, spire-server fails to attest the nodes because it cannot reach the aws iam endpoint - iam.amazonaws.com - which is used to retrieve the instance iam profile information.
Which issue this PR fixes