Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-6222

Investigate difficulty of adopting token based auth in AWS, GCP, and Azure

XMLWordPrintable

    • Icon: Spike Spike
    • Resolution: Done
    • Icon: Major Major
    • None
    • quay-v3.10.0
    • quay
    • False
    • None
    • False

      This is prep work for implementing token based authentication for AWS, GCP, and Azure. Background can be reviewed here https://issues.redhat.com/browse/OCPSTRAT-6.

      Currently ImageRegistry supports token based authentication for all three cloud providers on OpenShift. Quay will be adopting the same behavior in 3.11. We think that this effort should be relatively straightforward and only require us to update the type of authentication used in the existing libraries that interface with the providers, but we may also need to add a function that can refresh the token prior to expiration.

      This spike is meant to validate these assumptions and give a proper scope/estimate for implementation.

      Resources:
      https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html

      https://cloud.google.com/iam/docs/workload-identity-federation

      https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#managed-identity

              bcaton@redhat.com Brandon Caton
              doconnor@redhat.com Dave O'Connor
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: