Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-4744

Workload identity to support GCS bucket

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Duplicate
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected

      Goal: Use Google Workload identity Foundation (WIF) to authenticate to GCS bucket for image storage instead of long-lived, static credentials when using the GCS driver.

      Background: Right now Quay is pushing images to the GCS bucket via HMAC keys and the request is to support Workload identity, so that authentication will be handled through short-living tokens.

      Why this is important: Long-lived static credentials are considered insecure and bad practice and are increasingly prohibited in the enterprise space.

      Required dependencies:

      1. Implement GCP WIF configuration flow as described in PROJQUAY-7729

      Acceptance criteria:

      1. Allow configuration of GCS bucket auth to beĀ 

      https://cloud.google.com/iam/docs/workload-identity-federation
      https://docs.openshift.com/container-platform/4.10/authentication/understanding-identity-provider.html

              Unassigned Unassigned
              rhn-support-bsmitley Brandon Smitley
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: