cmd/tailscale/cli: allow fetching keys from AWS Parameter Store

This allows fetching auth keys, OAuth client secrets, and ID tokens (for workload identity federation) from AWS Parameter Store by passing an ARN as the value. This is a relatively low-overhead mechanism for fetching these values from an external secret store without needing to run a secret service. Usage examples: # Auth key tailscale up \ --auth-key=arn:aws:ssm:us-east-1:123456789012:parameter/tailscale/auth-key # OAuth client secret tailscale up \ --client-secret=arn:aws:ssm:us-east-1:123456789012:parameter/tailscale/oauth-secret \ --advertise-tags=tag:server # ID token (for workload identity federation) tailscale up \ --client-id=my-client \ --id-token=arn:aws:ssm:us-east-1:123456789012:parameter/tailscale/id-token \ --advertise-tags=tag:server Updates tailscale/corp#28792 Signed-off-by: Andrew Dunham <andrew@tailscale.com>
2026-01-14 02:29:06 -05:00
parent 65d6793204
commit bcceef3682
9 changed files with 327 additions and 12 deletions
@@ -73,6 +73,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/feature/buildfeatures                          from tailscale.com/ipn/ipnlocal+
        tailscale.com/feature/condlite/expvar                        from tailscale.com/wgengine/magicsock
        tailscale.com/feature/condregister                           from tailscale.com/cmd/tailscaled
+        tailscale.com/feature/condregister/awsparamstore             from tailscale.com/cmd/tailscale/cli
        tailscale.com/feature/condregister/identityfederation        from tailscale.com/cmd/tailscale/cli
        tailscale.com/feature/condregister/oauthkey                  from tailscale.com/cmd/tailscale/cli
        tailscale.com/feature/condregister/portmapper                from tailscale.com/feature/condregister+