I never really paid attention to how AWS4 authorization signatures worked before, but realising they’re basically a limited subset of Macaroons is very neat.
Knowing how the construction works I’m also now very disappointed that basically no software I use lets me pass in “today’s secret key for the S3 service in us-east1” instead of the valid for all time access key secret.
=> More informations about this toot | More toots from erincandescent@erincandescent.net
@erincandescent yeah :(
I think the “preferred” method is to have single-region accounts or have an IAM policy that only grants access to a given region (ideally using a workload identity to avoid long-lived static credentials), but it’d be nice to lock things down at a higher level without needing to rely on SCPs
=> More informations about this toot | More toots from unlobito@woof.tech
@unlobito even then its very neat that if things let me do so I could just mint daily credentials to limit risk.
=> More informations about this toot | More toots from erincandescent@erincandescent.net This content has been proxied by September (ba2dc).Proxy Information
text/gemini