Fetch JWKs from object storage (S3)

[alekitto]

Is your feature request related to a problem? Please describe.

I need to make jwks.json file secure and away from unwanted access. Now i'm creating an encrypted file on the repository that will be decrypted on image build in the CI env, but I want to be able to distribuite that image to the developers to re-create a full working environment.

Now I cannot mount the jwks.json as a file, because ECS does not let a secret to be mounted but only specified as env variable.
Fetching jwks file from S3 makes the credentials more secure (I can restrict the access to the worker), I can rotate the keys via cron events, and I can set an encryption key on the file.

Describe the solution you'd like

Using the AWS SDK the credential fetcher can get the object containing the jwks keys (using s3://bucket/keys.json format). AWS credentials can be passed through env vars or directly via authority section in the url.

Region and endpoint can be passed in query string. This enables the usage of tools like Minio as an alternative to S3.

Describe alternatives you've considered

I've considered the http(s) as an alternative to this problem, but the only security option is basic authentication. Another option is to spin a sidecar container to proxy the request to the object storage, but I think that an integrated solution could be more efficient.

Additional context

I'm working on a preliminar version of this proposal, if this could be interesting, i could publish the result of my work.

[aeneasr]

Sounds like a good idea! Golang has actually a library for working with multiple cloud providers: https://github.com/google/go-cloud

It would be great if we could somehow reduce the amount of configuration variables.

[alekitto]

Great! I'll open a PR as soon as I finish to integrate the go-cloud lib.