Project

General

Profile

Actions
Copy link

Feature #63718

open

STS integration with Spiffe/Spire

Added by Casey Bodley 5 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

https://spiffe.io/

Actions
Copy link
 #1

Updated by Casey Bodley 5 months ago

from Adam B in #ceph-devel slack https://ceph-storage.slack.com/archives/C1HFZTW81/p1701452630490429:

Hi All,

Let me share my findings on SPIFFE with RGW.

In the SPIFFE world a workload can authenticate by calling the SPIRE Workload API to request an SVID. JWT SVIDs can be used for OIDC federation, since they comply with the ID token specs. RGW is not too far from supporting OIDC federation with JWT SVIDs, but some gaps need to be filled:

  • RGW assumes the presence of an optional x5c member in the signing key for token validation, and doesn’t support bare JWKs. SPIRE uses bare JWKs.
  • RGW doesn’t match the right signing key using the “kid” parameter, it picks the first certificate instead. Signing keys might be at any position in the keys JSON array returned by an OIDC discovery endpoint.

I used this guide to set up SPIRE locally: https://spiffe.io/docs/latest/try/getting-started-linux-macos-x/
And used this sample OIDC discovery provider: https://github.com/spiffe/spire/tree/main/support/oidc-discovery-provider

For a comprehensive OIDC federation tutorial with AWS, see https://spiffe.io/docs/latest/keyless/oidc-federation-aws/

Actions
Copy link

Also available in: Atom PDF