-
Notifications
You must be signed in to change notification settings - Fork 42
feat(auth): add Workload Identity Federation (OIDC) support #1424
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
philross
wants to merge
5
commits into
stackitcloud:main
Choose a base branch
from
philross:feat/wif-auth-support
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
e17115d
feat(auth): add Workload Identity Federation (OIDC) support
philross 415910f
refactor(auth): move OIDC helpers into auth package
philross 17e3ea5
remove test case
philross 182ff35
add --use-oidc flag
philross ac5d8b9
support STACKIT_FEDERATED_TOKEN_FILE
philross File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| package auth | ||
|
|
||
| import ( | ||
| "context" | ||
| "fmt" | ||
| "os" | ||
|
|
||
| "github.com/stackitcloud/stackit-sdk-go/core/oidcadapters" | ||
| ) | ||
|
|
||
| const ( | ||
| EnvUseOIDC = "STACKIT_USE_OIDC" | ||
| EnvServiceAccountEmail = "STACKIT_SERVICE_ACCOUNT_EMAIL" | ||
| EnvServiceAccountFederatedToken = "STACKIT_SERVICE_ACCOUNT_FEDERATED_TOKEN" //nolint:gosec // linter false positive | ||
| EnvFederatedTokenFile = "STACKIT_FEDERATED_TOKEN_FILE" | ||
| EnvGitHubRequestURL = "ACTIONS_ID_TOKEN_REQUEST_URL" | ||
| EnvGitHubRequestToken = "ACTIONS_ID_TOKEN_REQUEST_TOKEN" //nolint:gosec // linter false positive | ||
| EnvAzureOIDCRequestURI = "SYSTEM_OIDCREQUESTURI" | ||
| EnvAzureAccessToken = "SYSTEM_ACCESSTOKEN" //nolint:gosec // linter false positive | ||
| ) | ||
|
|
||
| func IsOIDCEnabled() bool { | ||
| return os.Getenv(EnvUseOIDC) == "1" | ||
| } | ||
|
|
||
| // IsOIDCEnabledWithOverride resolves OIDC mode using explicit input first and env fallback. | ||
| // If useOIDC is not nil, its value is used directly; otherwise STACKIT_USE_OIDC is evaluated. | ||
| func IsOIDCEnabledWithOverride(useOIDC *bool) bool { | ||
| if useOIDC != nil { | ||
| return *useOIDC | ||
| } | ||
|
|
||
| return IsOIDCEnabled() | ||
| } | ||
|
|
||
| func OIDCServiceAccountEmail() string { | ||
| return os.Getenv(EnvServiceAccountEmail) | ||
| } | ||
|
|
||
| // TokenFunc returns the OIDCTokenFunc to use for Workload Identity Federation. | ||
| // It checks the following token sources in order: STACKIT_SERVICE_ACCOUNT_FEDERATED_TOKEN, | ||
| // STACKIT_FEDERATED_TOKEN_FILE, GitHub Actions (ACTIONS_ID_TOKEN_REQUEST_URL + | ||
| // ACTIONS_ID_TOKEN_REQUEST_TOKEN), and Azure DevOps (SYSTEM_OIDCREQUESTURI + SYSTEM_ACCESSTOKEN). | ||
| // Returns an error if no source is detected. | ||
| func OIDCTokenFunc() (oidcadapters.OIDCTokenFunc, error) { | ||
| // static token provided directly via env var | ||
| if token := os.Getenv(EnvServiceAccountFederatedToken); token != "" { | ||
| return func(_ context.Context) (string, error) { | ||
| return token, nil | ||
| }, nil | ||
| } | ||
|
|
||
| // token read from filesystem path via env var | ||
| if tokenFilePath := os.Getenv(EnvFederatedTokenFile); tokenFilePath != "" { | ||
| return oidcadapters.ReadJWTFromFileSystem(tokenFilePath), nil | ||
| } | ||
|
|
||
| // GitHub Actions | ||
| if ghURL := os.Getenv(EnvGitHubRequestURL); ghURL != "" { | ||
| if ghToken := os.Getenv(EnvGitHubRequestToken); ghToken != "" { | ||
| return oidcadapters.RequestGHOIDCToken(ghURL, ghToken), nil | ||
| } | ||
| } | ||
|
|
||
| // Azure DevOps | ||
| if adoURL := os.Getenv(EnvAzureOIDCRequestURI); adoURL != "" { | ||
| if adoToken := os.Getenv(EnvAzureAccessToken); adoToken != "" { | ||
| return oidcadapters.RequestAzureDevOpsOIDCToken(adoURL, adoToken, ""), nil | ||
| } | ||
| } | ||
|
|
||
| return nil, fmt.Errorf( | ||
| "%s is enabled but no OIDC token source was detected\n"+ | ||
| "Provide the token via %s or %s, or run in a supported CI environment:\n"+ | ||
| " - GitHub Actions: grant 'id-token: write' permission; %s and %s are set automatically by the runner\n"+ | ||
| " - Azure DevOps: pass 'SYSTEM_ACCESSTOKEN: $(System.AccessToken)' in your pipeline step", | ||
| EnvUseOIDC, EnvServiceAccountFederatedToken, EnvFederatedTokenFile, | ||
| EnvGitHubRequestURL, EnvGitHubRequestToken, | ||
| ) | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I checked the TFP implementation against this implementation and found one thing which is different.
The TFP implementation allows to provide a
use_oidcin the provider configuration. If this is set this has higher priority (than the environment variable).See: https://github.com/stackitcloud/terraform-provider-stackit/blob/main/docs/index.md#authentication
In order to use the same mechanism here we need to add a cli flag as well (if provided -> cli flag has prio, if not environment variable is taken).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added supported for
--use-oidcand alsoSTACKIT_FEDERATED_TOKEN_FILE