Loading...

XML

Word

Printable

Type: Feature Request
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: Auth
Labels:
- auth

Target Version:
None
Activity Type:
Product / Portfolio Work
Status Summary:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Products:
None
Hierarchy Progress Bar:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
None
PX Impact Score:
PX Impact Range:
None
PX Priority Data:
None
PX Technical Impact:
None
PX Technical Impact Notes:
None
PX Scheduling Request:
None

1. Proposed title of this feature request

Native Support for AWS KMS in ZTWIM to Enable Production-Ready Enterprise Security Compliance

2. What is the nature and description of the request?

The Zero Trust Workload Identity Manager (ZTWIM) currently lacks a native, supported integration path for AWS Key Management Service (KMS). While the underlying SPIRE architecture supports various key managers, the OpenShift Operator does not yet expose these configurations in a stable manner.

Current workarounds involving "create-only mode" are strictly experimental and unsuitable for production because:

Breaks Reconciliation: The Operator ceases to manage the lifecycle, leading to configuration drift.

Blocks Upgrades: It prevents the Operator from receiving critical security patches and version updates, resulting in a "frozen" and potentially insecure state.

Operational Risk: Manual configuration overrides within a Tech Preview feature are fragile; as the ZTWIM schema evolves toward GA (General Availability), manual changes will likely lead to deployment failures.

The request is to implement a first-class KeyManager configuration within the ZTWIM Custom Resource (CR) that allows for AWS KMS integration while maintaining full Operator reconciliation and upgradeability.

3. Why does the customer need this? (Business Requirements)

Regulatory Compliance: Enterprise customers in highly regulated sectors (Finance, Healthcare, Public Sector) are often mandated by policies like FIPS 140-2 Level 3 or SOC2 to use hardware-backed keys (HSM/KMS) rather than software-based local keys.

Production Readiness: To move ZTWIM from "Tech Preview" evaluation to "Production" deployment, customers require a supported path that does not compromise the operational stability of the OpenShift cluster.

Cloud-Native Security Alignment: Customers running OpenShift on AWS expect seamless integration with AWS IAM and KMS to ensure a unified security posture across their infrastructure and workloads.

4. List any affected packages or components

Auth

Assignee:: Anjali Telang

Reporter:: Samiksha Chordiya

Need Info From:: None

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2026/02/24 1:45 PM

Updated:: 2026/02/24 3:55 PM

Target start:: None

Target end:: None

Details

Description

1. Proposed title of this feature request

2. What is the nature and description of the request?

3. Why does the customer need this? (Business Requirements)

4. List any affected packages or components

Attachments

Easy Agile Planning Poker

Activity

People

Dates