Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Workload Identities #1154

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Conversation

smndtrl
Copy link

@smndtrl smndtrl commented Dec 6, 2024

This is a WIP!

The goal is for a worker component to be able to attest to a remote entity (API, STS) that it is part of the golem environment. The remote entity can make their decisions based on the attested claims to e.g. allow API calls or in case of a secrets vault unlock the secret just for a specific component in a specific account.

It adds a API for components to retrieve a signed JWT with claims about the workers account, component id, worker name.

  • worker-executor has the signing capabilities and golem:api/identity.{get-token}
  • worker-service has a JWKS endpoint + for compatibility a openid-configuration discovery endpoint

Both must share the configuration with the keys. The worker service just needs to get the public information to display it on the endpoints while the worker executor actually needs the private parts to sign the JWT.

There is a lot to be done and cleaned up. I wanted to make it public for awareness and to see if this is of interest to the project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant