Skip to content
Cofide Cofide

Cloud Integrations

This page provides details on the cloud integrations supported by Connect.

AWS

Section titled “AWS”

S3 - Trust Bundle Storage

Section titled “S3 - Trust Bundle Storage”

To enable the control plane to manage trust bundles you must create an S3 bucket, an OIDC provider that trusts the SPIFFE ID of the control plane API and an IAM role that can be assumed through this OIDC provider with the required permissions to manage objects in the bucket.

The below snippet demonstrates setting up an S3 bucket, OIDC provider and IAM role using Terraform.

resource "aws_s3_bucket" "trust_bundle_public_storage" {
  bucket_prefix = "example-trust-bundle-storage-"
}


data "tls_certificate" "connect_oidc" {
  url = "https://oidc-discovery.example.cofide.dev/keys"
}


resource "aws_iam_openid_connect_provider" "connect" {
  url            = "https://oidc-discovery.example.cofide.dev"
  client_id_list = ["aws"] // audience
  thumbprint_list = [
    data.tls_certificate.connect_oidc.certificates[0].sha1_fingerprint
  ]
}


data "aws_iam_policy_document" "oidc_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]
    principals {
      type        = "Federated"
      identifiers = ["arn:aws:iam::01234567890:oidc-provider/oidc-discovery.example.cofide.dev"]
    }
    condition {
      test     = "StringEquals"
      variable = "oidc-discovery.example.cofide.dev:aud"
      values   = ["aws"]
    }
    condition {
      test     = "StringEquals"
      variable = "oidc-discovery.example.cofide.dev:sub"
      values   = ["spiffe://connect-trust-domain/ns/connect/sa/cofide-connect-api"]
    }
  }
}


resource "aws_iam_role" "connect" {
  name               = "connect"
  assume_role_policy = data.aws_iam_policy_document.oidc_assume_role_policy.json
}


data "aws_iam_policy_document" "connect" {
  statement {
    actions   = ["s3:ListBucket"]
    resources = [aws_s3_bucket.trust_bundle_public_storage.arn]
  }
  statement {
    actions   = ["s3:DeleteObject", "s3:Get*", "s3:Put*"]
    resources = ["${aws_s3_bucket.trust_bundle_public_storage.arn}/*"]
  }
}


resource "aws_iam_role_policy" "connect" {
  role   = aws_iam_role.connect.name
  policy = data.aws_iam_policy_document.connect.json
}

GCP

Section titled “GCP”

GCS - Trust Bundle Storage

Section titled “GCS - Trust Bundle Storage”

To enable the control plane to manage trust bundles you must create a GCS bucket, a workload identity pool with a provider that trusts the SPIFFE ID of the control plane API and grant this provider access to manage objects in the bucket.

The below snippet demonstrates setting up a GCS bucket, workload identity pool and workload identity provider with the required permissions.

resource "google_storage_bucket" "bucket" {
  name = "example-trust-bundle-storage"
}


resource "google_iam_workload_identity_pool" "pool" {
  workload_identity_pool_id = "example"
  display_name              = "Example"
}


resource "google_iam_workload_identity_pool_provider" "multiple_providers" {
  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "example-connect"
  display_name = "Example Connect"
  attribute_mapping = {
    "google.subject" = "assertion.sub"
  }
  oidc {
    issuer_uri        = "https://oidc-discovery.example.cofide.dev"
    allowed_audiences = "connect"
  }
}


resource "google_storage_bucket_iam_member" "bucket_access" {
  bucket = google_storage_bucket.bucket.name
  role   = "roles/storage.objectAdmin"
  member = "${google_iam_workload_identity_pool.pool.workload_identity_pool_id}/subject/spiffe://example.cofide.dev/ns/connect/sa/cofide-connect-api"
}

Cloud SQL - Datastore

Section titled “Cloud SQL - Datastore”

Connect uses a Postgres database for persistent storage. It can be configured using a SQL connection string and providing the remote SPIFFE ID of the SQL server for mutual TLS. Cloud providers generally don’t support mTLS with their managed database offering, so instead IAM authentication is used. In this flow the SPIFFE ID of Connect is exchanged for temporary IAM credentials to access the databases within a managed CLoudSQL instance.

The below snippet demonstrates setting up a service account with access to CloudSQL and granting the workload identity provider from the GCS setup the required permissions.

resource "google_service_account" "sa" {
  account_id = "connect-cloudsql-access"
}


resource "google_project_iam_member" "cloudsql_client" {
  role   = "roles/cloudsql.client"
  member = google_service_account.sa.member
}


resource "google_project_iam_member" "cloudsql_instance_user" {
  role   = "roles/cloudsql.instanceUser"
  member = google_service_account.sa.member
}


resource "google_service_account_iam_binding" "workload_identity_user" {
  service_account_id = google_service_account.sa.name
  role               = "roles/iam.workloadIdentityUser"
  members            = ["${google_iam_workload_identity_pool.pool.workload_identity_pool_id}/spiffe://example.cofide.dev/ns/connect/sa/cofide-connect-api"]
}


resource "google_service_account_iam_binding" "service_account_token_creator" {
  service_account_id = "projects/${var.project}/serviceAccounts/${module.helper.bindings_authoritative[each.key].name}"
  role               = "roles/iam.serviceAccountTokenCreator"
  members            = ["${google_iam_workload_identity_pool.pool.workload_identity_pool_id}/spiffe://example.cofide.dev/ns/connect/sa/cofide-connect-api"]
}

© 2026 Cofide Limited. All rights reserved.