File tree Expand file tree Collapse file tree 1 file changed +20
-6
lines changed Expand file tree Collapse file tree 1 file changed +20
-6
lines changed Original file line number Diff line number Diff line change 11# AWS Roles Anywhere
22
3+ Some notes on authenticating to AWS using X.509 certificates through the
4+ AWS Roles Anywhere API.
5+
36## Useful Resources
47
58- https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication.html
69- https://docs.aws.amazon.com/rolesanywhere/latest/userguide/trust-model.html
710- https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-sign-process.html
811
9- ## Constraints
12+ ## Important Constraints
13+
14+ ### Certificates
1015
11- End entity certificates must satisfy the following constraints to be used for authentication:
12- - The certificates MUST be X.509v3.
13- - Basic constraints MUST include CA: false.
14- - The key usage MUST include Digital Signature.
15- - The signing algorithm MUST include SHA256 or stronger. MD5 and SHA1 signing algorithms are rejected.
16+ > End entity certificates must satisfy the following constraints to be used for authentication:
17+ >
18+ > - The certificates MUST be X.509v3.
19+ > - Basic constraints MUST include CA: false.
20+ > - The key usage MUST include Digital Signature.
21+ > - The signing algorithm MUST include SHA256 or stronger. MD5 and SHA1 signing algorithms are rejected.
22+
23+ ### Keys
1624
1725> RSA and EC keys are supported; RSA keys are used with the RSA PKCS# v1.5 signing algorithm. EC keys are used with the ECDSA.
1826
27+ This seems like a relatively small problem. The SPIFFE spec does not make
28+ comment on permissible key types, and therefore, an implementation of SPIFFE
29+ could choose to use something other than EC or RSA. However, most
30+ implementations of SPIFFE today (e.g SPIRE, Teleport Workload Identity) use
31+ either EC or RSA as the default and indeed only support EC or RSA.
32+
You can’t perform that action at this time.
0 commit comments