AWS supports instance identity verification: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html Using this, we can exchange a signed instance payload for an agent token. @Summary Authenticate agent on AWS instance @ID authenticate-agent-on-aws-instance @Security Co
(rw http.ResponseWriter, r *http.Request)
| 68 | // @Success 200 {object} agentsdk.AuthenticateResponse |
| 69 | // @Router /api/v2/workspaceagents/aws-instance-identity [post] |
| 70 | func (api *API) postWorkspaceAuthAWSInstanceIdentity(rw http.ResponseWriter, r *http.Request) { |
| 71 | ctx := r.Context() |
| 72 | var req agentsdk.AWSInstanceIdentityToken |
| 73 | if !httpapi.Read(ctx, rw, r, &req) { |
| 74 | return |
| 75 | } |
| 76 | identity, err := awsidentity.Validate(req.Signature, req.Document, api.AWSCertificates) |
| 77 | if err != nil { |
| 78 | httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{ |
| 79 | Message: "Invalid AWS identity.", |
| 80 | Detail: err.Error(), |
| 81 | }) |
| 82 | return |
| 83 | } |
| 84 | api.handleAuthInstanceID(rw, r, identity.InstanceID, req.AgentName) |
| 85 | } |
| 86 | |
| 87 | // Google Compute Engine supports instance identity verification: |
| 88 | // https://cloud.google.com/compute/docs/instances/verifying-instance-identity |