Skip to content

Expose AWS account ID as a selector in aws_iid node attestor #6698

Open
Open
Expose AWS account ID as a selector in aws_iid node attestor#6698
Labels
priority/backlogIssue is approved and in the backlog
@anhpatel

Description

@anhpatel
anhpatel
opened on Mar 3, 2026

I'm doing cross-account node attestation and realized there's no way to scope registration entries by AWS account using selectors. The account ID is already in the Instance Identity Document and used for the agent SPIFFE ID path, but it's not exposed as a selector like region, az, etc. are.

Having aws_iid:account_id: as a selector would make it much easier to write account-scoped policies in multi-account setups, and would also be useful for workload isolation in multi-tenant environments.

Right now the workaround is to rely on tags or agent path template patterns, which feels unnecessarily indirect for something that's always present in the IID.

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority/backlogIssue is approved and in the backlog

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions