I never really paid attention to how AWS4 authorization signatures worked before, but realising they’re basically a limited subset of Macaroons is very neat.
-
I never really paid attention to how AWS4 authorization signatures worked before, but realising they’re basically a limited subset of Macaroons is very neat.
Knowing how the construction works I’m also now very disappointed that basically no software I use lets me pass in “today’s secret key for the S3 service in us-east1” instead of the valid for all time access key secret.
-
P [email protected] shared this topic
-
@erincandescent yeah
I think the “preferred” method is to have single-region accounts or have an IAM policy that only grants access to a given region (ideally using a workload identity to avoid long-lived static credentials), but it’d be nice to lock things down at a higher level without needing to rely on SCPs
-
@unlobito even then its very neat that if things let me do so I could just mint daily credentials to limit risk.
