mirror of
https://github.com/tailscale/tailscale.git
synced 2026-03-26 10:11:05 -04:00
bcceef3682
This allows fetching auth keys, OAuth client secrets, and ID tokens (for
workload identity federation) from AWS Parameter Store by passing an ARN
as the value. This is a relatively low-overhead mechanism for fetching
these values from an external secret store without needing to run a
secret service.
Usage examples:
# Auth key
tailscale up \
--auth-key=arn:aws:ssm:us-east-1:123456789012:parameter/tailscale/auth-key
# OAuth client secret
tailscale up \
--client-secret=arn:aws:ssm:us-east-1:123456789012:parameter/tailscale/oauth-secret \
--advertise-tags=tag:server
# ID token (for workload identity federation)
tailscale up \
--client-id=my-client \
--id-token=arn:aws:ssm:us-east-1:123456789012:parameter/tailscale/id-token \
--advertise-tags=tag:server
Updates tailscale/corp#28792
Signed-off-by: Andrew Dunham <andrew@tailscale.com>
22 lines
743 B
Go
22 lines
743 B
Go
// Copyright (c) Tailscale Inc & contributors
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
package tailscale
|
|
|
|
import (
|
|
"context"
|
|
|
|
"tailscale.com/feature"
|
|
)
|
|
|
|
// ResolvePrefixAWSParameterStore is the string prefix for values that can be
|
|
// resolved from AWS Parameter Store.
|
|
const ResolvePrefixAWSParameterStore = "arn:aws:ssm:"
|
|
|
|
// HookResolveValueFromParameterStore resolves to [awsparamstore.ResolveValue] when
|
|
// the corresponding feature tag is enabled in the build process.
|
|
//
|
|
// It fetches a value from AWS Parameter Store given an ARN. If the provided
|
|
// value is not an Parameter Store ARN, it returns the value unchanged.
|
|
var HookResolveValueFromParameterStore feature.Hook[func(ctx context.Context, valueOrARN string) (string, error)]
|