cosign-ecs-verify icon indicating copy to clipboard operation
cosign-ecs-verify copied to clipboard

Published 20 hours ago verified publisher icon chainguard-dev

is it possible to use workload identity feature to use AWS services ?

Open developer-guy opened this issue 3 years ago • 2 comments

Feature request

I saw that this project retrieved the public key from the AWS KMS system (IIUC)^1. To do so, it used ecrHelper (IIUC handles authentication), so, what am I asking is that, instead of using this one, could we use the AWS workload identity feature to accomplish the same thing, thanks in advance.

Use case

developer-guy avatar Feb 04 '22 06:02 developer-guy

cc @mattmoor @imjasonh I think that should work!

dlorenc avatar Feb 04 '22 13:02 dlorenc

ecrHelper is intended to use workload identity if it's available. If it doesn't, that's a bug, let me know.

The public key pulled from KMS isn't used to auth to the registry, it's only used in cosign.CheckOpts:

https://github.com/chainguard-dev/cosign-ecs-verify/blob/6a2f1cab5273be3952b8194dff26070d7af26e9c/cosign-ecs-function/cosign.go#L43

imjasonh avatar Feb 04 '22 13:02 imjasonh