DO NOT USE THIS PLUGIN: it has been deprecated and will be removed in a future release. Its functionality was subsumed into the aws_iid node attestor plugin
Must be used in conjunction with the aws_iid node attestor plugin
The aws_iid resolver plugin resolves AWS IID-based SPIFFE ID's into a set
of selectors.
| Selector | Example | Description |
|---|---|---|
| Instance Tag | tag:name:blog |
The key (e.g. name) and value (e.g. blog) of an instance tag |
| Security Group ID | sg:id:sg-01234567 |
The id of the security group the instance belongs to |
| Security Group Name | sg:name:blog |
The name of the security group the instance belongs to |
| IAM role | iamrole:arn:aws:iam::123456789012:role/Blog |
An IAM role within the instance profile for the instance |
All of the selectors have the type aws_iid.
| Configuration | Description | Default |
|---|---|---|
access_key_id |
AWS access key id | Value of AWS_ACCESS_KEY_ID environment variable |
secret_access_key |
AWS secret access key | Value of AWS_SECRET_ACCESS_KEY environment variable |
The user or role identified by the credentials must have permissions for
ec2:DescribeInstances and iam:GetInstanceProfile.
The following is an example for a IAM policy needed to get instance's info from AWS.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"iam:GetInstanceProfile"
],
"Resource": "*"
}
]
}For more information on security credentials, see https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html.
A sample configuration:
NodeResolver "aws_iid" {
enabled = true
plugin_data {
access_key_id = "ACCESS_KEY_ID"
secret_access_key = "SECRET_ACCESS_KEY"
}
}