Skip to content

feat: IAM method support in new join service #60033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: nklaassen/iam-messages
Choose a base branch
from
Open

feat: IAM method support in new join service #60033

wants to merge 1 commit into from
+883 −518

Conversation

nklaassen
Copy link
Contributor

Part of RFD 27e

This PR adds support for the IAM join method to the new join service and client. Both the new and legacy gRPC servers are updated to use common logic that verifies the request.

@nklaassen nklaassen added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v18 labels Oct 8, 2025
nklaassen
nklaassen commented Oct 8, 2025
View reviewed changes
lib/join/iamjoin/iam.go
// To keep this validation simple and secure, we check the given endpoint
// against a static list of known valid endpoints. We will need to update this
// list as AWS adds new regions.
func validateSTSHost(stsHost string, fips bool) error {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code in this file has been moved from lib/auth/join_iam.go with minimal changes

nklaassen
nklaassen commented Oct 8, 2025
View reviewed changes
lib/join/server_boundkeypair.go
authCtx,
boundKeypairInit.ClientParams.BotParams,
claims,
nil, // TODO(timothyb89): workload id claims
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@timothyb89 this TODO was in the original bound keypair implementation, copied here now that one of the join methods actually has workload ID claims and it became a parameter here

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the heads up - this one isn't urgent so I see no issues copying the comment.

@nklaassen nklaassen marked this pull request as ready for review October 8, 2025 00:35
@nklaassen nklaassen force-pushed the nklaassen/iam-messages branch from 55c0ced to d798024 Compare October 15, 2025 19:40
@nklaassen nklaassen force-pushed the nklaassen/iam-messages branch from d798024 to a33fe08 Compare October 15, 2025 22:26
@nklaassen nklaassen mentioned this pull request Oct 15, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timothyb89 timothyb89 timothyb89 left review comments

@bernardjkim bernardjkim bernardjkim approved these changes

@probakowski probakowski Awaiting requested review from probakowski

Assignees

No one assigned

Labels

backport/branch/v18 no-changelog Indicates that a PR does not require a changelog entry size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nklaassen @timothyb89 @bernardjkim