Skip to content

Cloud adapter: AWS/GCP/Azure instance-metadata attestation #39

@jeremymanning

Description

@jeremymanning

Description

adapters/cloud/src/main.rs (143 lines) has a cloud provider enum and CLI scaffold but no cloud SDK integration. Join and Status commands return stubs.

Requirements

  • Verify instance identity via cloud metadata services:
    • AWS: IMDSv2 token → instance identity document → verify signature
    • GCP: metadata server → instance identity token → verify JWT
    • Azure: IMDS → attested data → verify signature
  • Join as first-class donor with cloud-attested identity
  • Report instance capabilities (CPU, GPU, memory, region, AZ)
  • Handle spot/preemptible instance termination notices
  • Support auto-scaling group participation

Success Criteria

  • Identity verified via at least one cloud provider's metadata service
  • Instance joins as attested donor node
  • Capabilities reported accurately from metadata
  • Spot termination notice triggers clean preemption
  • Integration test on at least one real cloud instance

Testing (Principle V)

  • Deploy on real AWS EC2 instance → verify IMDSv2 attestation
  • Deploy on real GCP CE instance → verify metadata attestation
  • Test spot termination handling (AWS spot interruption notice)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions