wasmcloud_host/
workload_identity.rs

1use anyhow::{Context as _, Result};
2
3// TODO(joonas): Figure out better naming here
4const AUTH_SERVICE_AUDIENCE_ENV: &str = "WASMCLOUD_WORKLOAD_IDENTITY_AUTH_SERVICE_AUDIENCE";
5
6/// WorkloadIdentityConfig is used by the experimental workload-identity feature
7#[derive(Clone, Default, Debug)]
8pub struct WorkloadIdentityConfig {
9    /// auth_service_audience represents the value expected by the Auth Callout Service,
10    /// typically this should look something like "spiffe://wasmcloud.dev/auth-callout"
11    pub auth_service_audience: String,
12}
13
14impl WorkloadIdentityConfig {
15    /// Fetch workload identity configuration from environment variables
16    #[cfg(unix)]
17    pub fn from_env() -> Result<Self> {
18        // TODO(joonas): figure out better naming here. maybe this should be interpolated from a trust domain?
19        // This needs to follow format like: "spiffe://{spiffe_trust_domain}/{nats_auth_callout_service}"
20        let auth_service_audience = std::env::var(AUTH_SERVICE_AUDIENCE_ENV)
21            .context("workload identity auth callout audience environment variable is missing")?;
22
23        Ok(Self {
24            auth_service_audience,
25        })
26    }
27
28    #[cfg(target_family = "windows")]
29    pub fn from_env() -> Result<Self> {
30        anyhow::bail!("workload identity is not supported on Windows")
31    }
32}
wasmcloud_host/workload_identity.rs

wasmcloud_host/
workload_identity.rs
