wasmcloud_host/
workload_identity.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
use anyhow::{Context as _, Result};

// TODO(joonas): Figure out better naming here
const AUTH_SERVICE_AUDIENCE_ENV: &str = "WASMCLOUD_WORKLOAD_IDENTITY_AUTH_SERVICE_AUDIENCE";

/// WorkloadIdentityConfig is used by the experimental workload-identity feature
#[derive(Clone, Default, Debug)]
pub struct WorkloadIdentityConfig {
    /// auth_service_audience represents the value expected by the Auth Callout Service,
    /// typically this should look something like "spiffe://wasmcloud.dev/auth-callout"
    pub auth_service_audience: String,
}

impl WorkloadIdentityConfig {
    /// Fetch workload identity configuration from environment variables
    #[cfg(unix)]
    pub fn from_env() -> Result<Self> {
        // TODO(joonas): figure out better naming here. maybe this should be interpolated from a trust domain?
        // This needs to follow format like: "spiffe://{spiffe_trust_domain}/{nats_auth_callout_service}"
        let auth_service_audience = std::env::var(AUTH_SERVICE_AUDIENCE_ENV)
            .context("workload identity auth callout audience environment variable is missing")?;

        Ok(Self {
            auth_service_audience,
        })
    }

    #[cfg(target_family = "windows")]
    pub fn from_env() -> Result<Self> {
        anyhow::bail!("workload identity is not supported on Windows")
    }
}