Cloud Worker Token Activation Protocol

Storing credentials in cloud "user-data" risks exposure to untrusted code running on the instance.

https://salsa.debian.org/freexian-team/debusine/-/merge_requests/1682?diff_id=452568&start_sha=fea2bfa57b563be411f3dcfe3e80f43f3c1c9d68#note_592078

Typically in clouds, user-data is provided to the instance on an internal IP, visible only to the instance, e.g. http://169.254.169.254/latest/user-data

In !1682 (merged), we provide cloud workers with a pre-enabled worker token using user-data. The metadata endpoint is firewalled off, but we can do better than this.

Our plan is to have an activation key, provided in user-data, that can be used to immediately activate a single worker key, when the worker starts up.

Edited Mar 10, 2025 by Stefano Rivera

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information