Attestation Storage Configuration
Develocity Provenance Governor requires at least one attestation storage backend to publish attestations. You can configure:
-
Amazon S3 — Store attestations in S3 buckets
-
Artifactory — Store attestations in Artifactory’s evidence store
You may configure both storage backends to publish attestations to multiple locations simultaneously.
S3 Configuration
To configure access to an Amazon S3 bucket for storing or reading attestations, configure the following application properties:
s3.instances.<instance-name>.region=us-east-1 (1)
s3.instances.<instance-name>.bucket-name=dpg-bucket-01 (2)
| 1 | The AWS region where the bucket is located. |
| 2 | The name of the S3 bucket. |
S3 Authentication
You can configure authentication using either static credentials, IAM roles, or environmental credentials. The application attempts to authenticate in the following order:
-
IAM Role Assumption: Used if
role-arnis configured. -
Static Credentials: Used if
access-key-idandsecret-access-keyare configured. -
Container Credentials: (Default) Uses the environment’s credentials provider chain (e.g., IRSA in EKS, EC2 instance profile).
Static Credentials:
s3.instances.<instance-name>.access-key-id=AKIA...
s3.instances.<instance-name>.secret-access-key=...IAM Role Assumption:
s3.instances.<instance-name>.role-arn=arn:aws:iam::123456789012:role/MyRole
s3.instances.<instance-name>.role-session-name=provenance-governorAWS IAM Permissions
The IAM Role used by the application must have the following permissions on the target S3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucket-name>",
"arn:aws:s3:::<bucket-name>/*"
]
}
]
}-
s3:PutObject: Required for publishing attestations. -
s3:GetObject: Required for reading attestations (Fetch by ID, Policy Evaluation). -
s3:ListBucket: Required for discovering attestations during Policy Evaluation.
Associate Service Account Role (EKS)
When running on Amazon EKS, you can associate an IAM role with a Kubernetes Service Account using IRSA (IAM Roles for Service Accounts).
To enable this, the Service Account used by the Develocity Provenance Governor API pod must be annotated with the ARN of the IAM role.
The default deployment uses a Service Account named api in the develocity-provenance-governor namespace.
You can patch the Service Account after applying the manifest:
kubectl annotate serviceaccount api \
-n develocity-provenance-governor \
eks.amazonaws.com/role-arn=arn:aws:iam::123456789012:role/MyAttestationWriterRoleAlternatively, if you are using Kustomize to manage your deployment, you can create a kustomization.yaml to patch the manifest:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- manifest.yaml
patches:
- target:
kind: ServiceAccount
name: api
namespace: develocity-provenance-governor
patch: |-
- op: add
path: /metadata/annotations
value:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/MyAttestationWriterRoleS3 Connection Tuning
The following properties allow tuning of the S3 connection and request handling:
s3.instances.<instance-name>.endpoint=https://s3.us-west-2.amazonaws.com (1)
s3.instances.<instance-name>.path-style-access=false (2)
s3.instances.<instance-name>.max-concurrency=50 (3)
s3.instances.<instance-name>.max-object-size=10MB (4)
| 1 | The S3 endpoint URI. If omitted, the default AWS endpoint for the configured region is used. |
| 2 | Whether to use path-style access (e.g., https://s3.amazonaws.com/bucket/key). Defaults to false (virtual-hosted-style). |
| 3 | The maximum number of concurrent HTTP requests to S3. Defaults to the AWS SDK default. |
| 4 | The maximum allowed size for an attestation object. Defaults to 10MB. |
S3 Timeouts
s3.instances.<instance-name>.connection-timeout=2s (1)
s3.instances.<instance-name>.read-timeout=30s (2)
s3.instances.<instance-name>.write-timeout=30s (3)
| 1 | The timeout for establishing a connection to S3. Defaults to 2s. |
| 2 | The timeout for reading data from S3. Defaults to 30s. |
| 3 | The timeout for writing data to S3. Defaults to 30s. |
Artifactory Configuration
To configure access to an Artifactory instance for attestation storage, configure the following application properties:
artifactory.instances.<instance-name>.uri=https://artifactory.example.com (1)
| 1 | <instance-name> is a name you choose to identify this Artifactory instance. |
|
Artifactory configuration is optional. If you’re using S3 for attestation storage, you don’t need to configure Artifactory unless you want to publish attestations to both storage backends. |
Provide an Artifactory access or ID token in the sensitive application properties (Secret secrets):
artifactory.instances.<instance-name>.access-token=************ (your access token here)Advanced Artifactory Configuration
The following advanced properties can be configured for each Artifactory instance:
artifactory.instances.<instance-name>.path=/artifactory (1)
artifactory.instances.<instance-name>.graphql-path=/onemodel/api/v1/graphql (2)
artifactory.instances.<instance-name>.evidence-path=/evidence/api/v1/subject (3)
artifactory.instances.<instance-name>.retries-writing.attempts=3 (4)
artifactory.instances.<instance-name>.retries-writing.min-backoff=1s (5)
artifactory.instances.<instance-name>.retries-reading.attempts=3 (6)
artifactory.instances.<instance-name>.retries-reading.min-backoff=1s (7)
| 1 | The base path to the Artifactory instance. Defaults to /artifactory. |
| 2 | The path to the Artifactory GraphQL API. Defaults to /onemodel/api/v1/graphql. |
| 3 | The path to the Artifactory Evidence Management API. Defaults to /evidence/api/v1/subject. |
| 4 | The maximum number of retry attempts for write operations to Artifactory. Defaults to 3. |
| 5 | The minimum backoff duration between retry attempts for write operations. Defaults to 1s. |
| 6 | The maximum number of retry attempts for read operations from Artifactory. Defaults to 3. |
| 7 | The minimum backoff duration between retry attempts for read operations. Defaults to 1s. |