Support Workload Identity Federation for Building Block Runs
complete
Jelle den Burger
It would be great if the Building Block Runner of meshStack could also support Workload Identity Federation so I no longer have to work with hard-coded, long-lived credentials
J
Johannes Rudolph
marked this post as
in progress
We have started working on this feature and will be iterating towards a full availability in the coming months.
Our current roadmap (subject to change) involves the following intermediate milestones
### V1: Runner-based Identity
This milestone will enable scheduling building blocks to a specific runner that has its own workload identity.
- Introduce concept of dedicated runners owned by a specific workspace (via platform builder). Existing runners will become shared runners and you can request dedicated runners via support.
- All building block definitions will be associated with a specific runner
- The OpenTofu runner will support using a runner-level workload identity to authenticate against AWS/Azure/GCP via the official terraform providers
We plan to also offer this approach for private runners hosted on your own infrastructure that have a workload identity provided by their underlying hosting environment (e.g. EC2, Cloud Run etc.)
We expect to ship V1 by end of October.
### V2: Run-based identity
This milestone will enable fine-grained authorization claims for each building block run based on definition owner, workspace etc. This enable securely using shared runners with multiple platform teams and also unlocks advanced authorization scenarios like making decisions based on the workspace owning the building block and the workspace owning the building block definition.
At this moment we exect to tackle V2 until end of 2025
We are looking for feedback on this plan and are specifically looking for platform teams that would like to work with our team to participate in private preview of this feature and provide feedback directly to our team.
J
Johannes Rudolph
marked this post as
complete
J
Johannes Rudolph
Update: WIF for Building Block Runs now available
Using fine-grained workload identity federation for building block runs is now available.
What's available now:
*
Building Block Definiton
Subject claims are now using this format system:serviceaccount:$meshstack_id:workspace.$workspace_identifier.buildingblockdefinition.$bbd_uuid
*
New runner architecture
Building Block runners now support running multiple building block runs concurrently Upgrade instructions
In order to use the new fine-grained WIF please add the new, finge-grained subject claim to your existing building block backplane implementations, e.g. AWS IAM role policies
system:serviceaccount:$meshstack_id:$runner_id
system:serviceaccount:$meshstack_id:workspace.$workspace_identifier.buildingblockdefinition.$bbd_uuid
This ensures that your building blocks will continue to function before and after the upgrade.
The upgrade procedure is as follows:
- Ensure your building block backplanes include the new subject claim format
- Inform support@meshcloud.io to let us know that we can upgrade your meshStack instance
3: After the upgrade is complete, you can remove the old subject claim format from your backplane implementations
If we can determine that you are not using WIF yet, we will upgrade your meshStack automatically to the new format.
J
Johannes Rudolph
marked this post as
in progress
We have started working on this feature and will be iterating towards a full availability in the coming months.
Our current roadmap (subject to change) involves the following intermediate milestones
### V1: Runner-based Identity
This milestone will enable scheduling building blocks to a specific runner that has its own workload identity.
- Introduce concept of dedicated runners owned by a specific workspace (via platform builder). Existing runners will become shared runners and you can request dedicated runners via support.
- All building block definitions will be associated with a specific runner
- The OpenTofu runner will support using a runner-level workload identity to authenticate against AWS/Azure/GCP via the official terraform providers
We plan to also offer this approach for private runners hosted on your own infrastructure that have a workload identity provided by their underlying hosting environment (e.g. EC2, Cloud Run etc.)
We expect to ship V1 by end of October.
### V2: Run-based identity
This milestone will enable fine-grained authorization claims for each building block run based on definition owner, workspace etc. This enable securely using shared runners with multiple platform teams and also unlocks advanced authorization scenarios like making decisions based on the workspace owning the building block and the workspace owning the building block definition.
At this moment we exect to tackle V2 until end of 2025
We are looking for feedback on this plan and are specifically looking for platform teams that would like to work with our team to participate in private preview of this feature and provide feedback directly to our team.
Jelle den Burger
We see huge potential in this feature but do not see this happening this year. There is quite some work needed to add support to this for meshStack. We hope we can deliver on it by Q2 next year.