How to grant AWS roles to OpenStack workloads?
I want to grant processes running on OpenStack infrastructure some access to AWS resources. (I also want to avoid manually rotating keys, and minimise the impact if credentials leak from these instances.)
Is there any secure way to associate AWS IAM roles with OpenStack compute instances (i.e., without passing long-lived IAM user access keys to the instance), similar to AWS EC2 instance identities?
For example, is there some OAuth/OIDC identity provider included in OpenStack (perhaps providing tokens via an IMDS secured by the hypervisor), which AWS STS could delegate to identify which OpenStack instance a process is running on (like how IRSA had STS delegate any Kubernetes cluster control plane to distribute tokens to verify associations between pods and service accounts, and without long-running AWS SDK based processes in those pods getting access to anything except temporary credentials).
