The easiest, most secure way to use WireGuard and 2FA http://git.waynecole.info/tailscale/atom?h=awly%2Fdeadcode-pool 2026-01-29T23:09:56Z 2026-01-29T23:09:56Z Andrew Dunham andrew@tailscale.com 2026-01-14T07:29:06Z urn:sha1:bcceef36825278a7406dd38d2832f20540d698a0 This allows fetching auth keys, OAuth client secrets, and ID tokens (for workload identity federation) from AWS Parameter Store by passing an ARN as the value. This is a relatively low-overhead mechanism for fetching these values from an external secret store without needing to run a secret service. Usage examples: # Auth key tailscale up \ --auth-key=arn:aws:ssm:us-east-1:123456789012:parameter/tailscale/auth-key # OAuth client secret tailscale up \ --client-secret=arn:aws:ssm:us-east-1:123456789012:parameter/tailscale/oauth-secret \ --advertise-tags=tag:server # ID token (for workload identity federation) tailscale up \ --client-id=my-client \ --id-token=arn:aws:ssm:us-east-1:123456789012:parameter/tailscale/id-token \ --advertise-tags=tag:server Updates tailscale/corp#28792 Signed-off-by: Andrew Dunham <andrew@tailscale.com>