README
¶
SIA for AWS EC2
Configuration
SIA AWS requires a configuration file to be present in the /etc/sia/sia_config with the
following required attributes if the property does not want to use the default settings
which require the use of the EC2 instance-profile role in the name format of
<property-domain-name>.<property-service-name>-service:
{
"version": "1.0.0",
"service": "property-service-name",
"accounts": [
{
"domain": "property-domain-name",
"account": "account-aws-id"
}
]
}
The AWS Account administrator must create an IAM Role called '." and this role must be setup with a trusted relationship with the role that the EC2 instance is configured to run as.
SIA Configuration file is also required if the user wants to change the default
user/group settings that the private key is owned by. By default, the private key
is owned by user root and readable by group athenz. If the user wants to
provide access to their service identity private key to another user, it can
be accomplished by adding the user to the group athenz. If the user wants to
change the user and group values, a config file must be dropped with the following
optional fields:
{
"version": "1.0.0",
"service": "property-service-name",
"accounts": [
{
"domain": "property-domain-name",
"account": "account-aws-id",
"user": "unix-username",
"group": "unix-groupname"
}
]
}
Documentation
¶
Index ¶
- func GetRoleCertificate(ztsUrl, svcKeyFile, svcCertFile string, opts *options.Options, ...) bool
- func RefreshInstance(data []*attestation.AttestationData, ztsUrl string, opts *options.Options, ...) error
- func RegisterInstance(data []*attestation.AttestationData, document []byte, ztsUrl string, ...) error
- func RoleKey(rotateKey bool, svcKey string) (*rsa.PrivateKey, error)
- func SaveRoleCertKey(key, cert []byte, role options.Role, opts *options.Options, ...) error
- func SaveSvcCertKey(key, cert []byte, svc options.Service, opts *options.Options, ...) error
- type Identity
- type SSHKeyReq
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetRoleCertificate ¶
func RefreshInstance ¶
func RefreshInstance(data []*attestation.AttestationData, ztsUrl string, opts *options.Options, sysLogger io.Writer) error
func RegisterInstance ¶
func RegisterInstance(data []*attestation.AttestationData, document []byte, ztsUrl string, opts *options.Options, docExpiryCheck bool, sysLogger io.Writer) error
func RoleKey ¶ added in v1.10.14
func RoleKey(rotateKey bool, svcKey string) (*rsa.PrivateKey, error)
func SaveRoleCertKey ¶ added in v1.10.14
Types ¶
type SSHKeyReq ¶
type SSHKeyReq struct {
Principals []string `json:"principals"`
Ips []string `json:"ips,omitempty" rdl:"optional"` //not used
Pubkey string `json:"pubkey"`
Reqip string `json:"reqip"`
Requser string `json:"requser"`
Certtype string `json:"certtype"`
Transid string `json:"transid"`
Command string `json:"command,omitempty" rdl:"optional"` //not used
}
SSHKeyReq - congruent with certsign-rdl/certsign.rdl
Source Files
Directories