Skip to content

docs(mesh): AWS IAM workload validation ECS #3593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

docs(mesh): AWS IAM workload validation ECS #3593

wants to merge 5 commits into from

Conversation

@Automaat
Copy link

@Automaat Automaat commented Dec 1, 2025
edited
Loading

Motivation

EC2 instances use IAM roles to issue DPP tokens. Kong Mesh 2.13.x enforces workload label validation for consistency and security when MeshIdentity with workload label is configured.

Implementation information

Updated ECS documentation to reflect new AWS IAM workload label validation:

  • Added workload identity section explaining when validation applies
  • Documented IAM role tag requirements for kuma.io/workload
  • Provided examples for Kubernetes and Universal/ECS dataplane configuration
  • Clarified backward compatibility - only enforced when MeshIdentity uses workload label

Supporting documentation

Based on Kong/kong-mesh#8757

Fix: #3399

@Automaat
docs(mesh): AWS IAM workload label validation ECS
2226ddc 
Add docs for workload label validation in Kong Mesh 2.13.x when
MeshIdentity uses kuma.io/workload in SPIFFE ID path. IAM roles
need matching workload tag, dataplanes need workload in metadata
labels (not inbound tags). Backward compatible - only enforced
when MeshIdentity with workload label exists.

Based on Kong/kong-mesh 8757

Signed-off-by: Marcin Skalski <[email protected]>
@Automaat Automaat requested a review from a team as a code owner December 1, 2025 12:38
@netlify
Copy link

netlify bot commented Dec 1, 2025
edited
Loading

Deploy Preview for kongdeveloper ready!

Name Link
🔨 Latest commit 4db81f7
🔍 Latest deploy log https://app.netlify.com/projects/kongdeveloper/deploys/692db35ee80ead00084c90ef
😎 Deploy Preview https://deploy-preview-3593--kongdeveloper.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@Automaat
fix(mesh): use modern admonition syntax
102f93d 
Replace legacy {:.note} with {:.info} per Vale linting rules

Signed-off-by: Marcin Skalski <[email protected]>
@Automaat
fix(mesh): escape liquid template syntax in ecs.md
61bcfa6 
Wrap label workload example in raw tags to prevent Jekyll
parsing error

Signed-off-by: Marcin Skalski <[email protected]>
@Automaat
fix(mesh): correct MeshIdentity link paths
fb691e4 
Update to /mesh/policies/meshidentity/

Signed-off-by: Marcin Skalski <[email protected]>
@Automaat Automaat force-pushed the docs/mesh-ecs-workload-validation branch from d8d61c2 to fb691e4 Compare December 1, 2025 14:12
@Automaat
fix(mesh): rm broken MeshIdentity links
4db81f7 
doc page does not exist, causes 404s

Signed-off-by: Marcin Skalski <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update EC2/ECS docs with workload tag requirements for Kong Mesh

2 participants

@Automaat