diff options
| author | mo khan <mo@mokhan.ca> | 2022-04-12 15:30:54 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2022-04-12 15:30:54 -0600 |
| commit | c20c22779c0f6e8db2d028a5ad1ee6dbba08008b (patch) | |
| tree | 72c716f04d89db27f01a7e613e08230eb96144e5 | |
| parent | 8cf7a1848b971e11d57e7ab5afd793417b696406 (diff) | |
add notes on workflow identity
| -rw-r--r-- | doc/run-identity/README.md | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/doc/run-identity/README.md b/doc/run-identity/README.md index 2523cee..8587512 100644 --- a/doc/run-identity/README.md +++ b/doc/run-identity/README.md @@ -104,3 +104,52 @@ rails/ kv kv_6ca5f254 n/a secret/ kv kv_c50fa680 key/value secret storage sys/ system system_5e571326 system endpoints used for control, policy and debugging ``` + +# Terraform Workload Identity - Product Spiel + +> Credentials == #1 Customer Pain + +* operation concerns +* risk +* onboarding time + +1. But what about variable sets? + +* so much better than what we had +* not much better of a risk story + +> "OIDC" == Trust + +* ecosystem building around standard +* Just in time (JIT) access +* Vault JWT Auth Method +* AWS, GCP, and Azure support +* Custom customer solutions + +> We will enable power users and set the foundation for mass adoption + +* JPMC, Snowflake and others will start using JWT immediately +* AWS wants to base all authen for their service catalog products on JWTs +* Azure is asking for it without knowing we are looking at it +* Cross team buy-in on longer term plan +* Bring JIT access to the masses + +Acceptance Criteria: + +* JWT's are unique for each stage of a run including plan, apply and run tasks. +* Generated during speculative plans and standard runs +* Exposed as an environment variable in the terraform build environment. +* Not stored to state unless practitioner specifically references it from Terraform. +* Accessible on agent-based workloads including hooks +* Given a TTL that corresponds to the system timeout on the current workload. +* JWT metadata must include: + * id of the run + * workspace id of the run + * organization id of the run + * stage of the run. i.e. speculative plan, plan, apply, run. + +To think about: + +1. NTP syncronization to ensure time matches from client to server. +1. Who is on the app-sec team? (Brian?) +1. x.509 certificate expiration. |