Skip to content

Missing support for KMS key tagging ("aws_kms" plugin) #6396

New issue
New issue
Open
Open
Missing support for KMS key tagging ("aws_kms" plugin)#6396
Labels
help wantedIssues with this label are ready to start work but are in need of someone to do itpriority/backlogIssue is approved and in the backlog
@arber-salihi

Description

@arber-salihi
arber-salihi
opened on Oct 25, 2025

Current issue

Organizations using SPIRE with the aws_kms KeyManager plugin for key management currently have no way to apply tags to the keys created. This limitation creates challenges for organizations in several key areas: cost allocation and tracking, resource organization and management, compliance and governance requirements.

Proposed solution

Add support for user-defined tags in the plugin configuration, with built-in validation against AWS KMS tagging constraints to ensure everything works without issues. The solution is prioritizing backward compatibility by making this configuration optional, so existing deployments won't be affected, while new users can take advantage of the tagging functionality as needed.

Validation of tags would occur at configuration time, following a "fail-fast" approach.

As we would like Kubernetes-based deployments to benefit this feature, we plan to extend the SPIRE Helm charts accordingly once the feature has been merged into SPIRE itself (this repository).

Implementation overview

Configuration schema

Add key_tags map to plugin configuration:

KeyManager "aws_kms" {
    plugin_data {
        region = "us-east-1"
        key_identifier_file = "/path/to/file"

        key_tags = {
            Environment = "production"
            Team             = "[email protected]"
        }
    }
}

Validation rules

Tags are validated during plugin configuration (fail-fast approach). The following validation checks would be performed, to fully aligned with restrictions/conditions from AWS.

  • Tag keys: 1-128 characters, cannot start with aws: (case-insensitive), valid characters only
  • Tag values: 0-256 characters, valid characters only
  • Total limit: Maximum 50 tags

Valid characters include unicode letters, numbers, spaces, + - = . _ : / @.

Changes: core

  1. aws_kms KeyManager Plugin (pkg/server/plugin/keymanager/awskms/awskms.go)
    Configuration layer

    • Add support for accepting key-value tag pairs in the plugin configuration
    • Parse tags during plugin initialization
    • Validate tags against AWS KMS constraints (see above)

    Runtime behavior

    • Pre-process and store tags during plugin configuration
    • Include the configured tags when creating new KMS keys

  2. Documentation (doc/plugin_server_keymanager_aws_kms.md)

    • Document the new tagging capability
    • Recall AWS-specific tagging constraints and limits
    • Provide at least one short example showing how to specify tags
    • Update the list of required IAM permissions to include kms:TagResource (if tags are used)

Changes: Helm chart

  1. Values configuration (values.yaml)

    • Add configuration option to specify KMS key tags through Helm values
    • Include documentation explaining the feature and its usage

  2. Configuration templating (configmap.yaml)

    • Add templating logic to generate the appropriate configuration SPIRE expects when tags are specified

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedIssues with this label are ready to start work but are in need of someone to do itpriority/backlogIssue is approved and in the backlog

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions