feat: Add AWS instance identity authentication (#570)

* feat: Add AWS instance identity authentication This allows zero-trust authentication for all AWS instances. Prior to this, AWS instances could be used by passing `CODER_TOKEN` as an environment variable to the startup script. AWS explicitly states that secrets should not be passed in startup scripts because it's user-readable. * Fix sha256 verbosity * Fix HTTP client being exposed on auth
2025-07-03 16:13:58 +00:00 · 2022-03-28 13:31:03 -06:00
parent 01957da040
commit a502a5fa14
13 changed files with 583 additions and 37 deletions
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@ -10,6 +10,7 @@ import (
 	"google.golang.org/api/idtoken"

 	"cdr.dev/slog"
+	"github.com/coder/coder/coderd/awsidentity"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
@ -24,6 +25,7 @@ type Options struct {
 	Database                       database.Store
 	Pubsub                         database.Pubsub

+	AWSCertificates      awsidentity.Certificates
 	GoogleTokenValidator *idtoken.Validator
 }

@ -135,6 +137,7 @@ func New(options *Options) (http.Handler, func()) {
 		})
 		r.Route("/workspaceresources", func(r chi.Router) {
 			r.Route("/auth", func(r chi.Router) {
+				r.Post("/aws-instance-identity", api.postWorkspaceAuthAWSInstanceIdentity)
 				r.Post("/google-instance-identity", api.postWorkspaceAuthGoogleInstanceIdentity)
 			})
 			r.Route("/agent", func(r chi.Router) {