Please vote on this issue by adding a π reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
today's providee requires ibmcloud_api_key to be configured to authenticate with the cloud and run all service clients.
To address security issues from apikey, trusted profile has been introduced in IAM for a few years already and adopted by many cloud services with below benefits.
user does not need to create any credential or store the plain text somewhere(even if in a secure place)
user does not need to rotate the credential regularly
user does not need to worry about credential exposure or leak.
the primary use case will be:
in terraform.tfvars, trusted_profile_id and cr_token_file are configured (ibmcloud_api_key is no longer needed), then iam_token is generated from above two parameters and this token is kept refreshed regularly throughput the client session.
https://github.com/IBM/go-sdk-core/blob/main/core/container_authenticator.go is available to implement this support.
trusted profile also supports association with other type of trustees besides of compute resource token, and they can be added after compute resource token is supported.
user
service-id
cloud service
New or Affected Resource(s)
this is platform level enhancement, not associated with any service or resource.
but once this authentication option is available, services supporting trusted profile can adopt and get away with apikey configuration.
ibm_XXXXX
Potential Terraform Configuration
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.
Community Note
Description
today's providee requires
ibmcloud_api_keyto be configured to authenticate with the cloud and run all service clients. To address security issues from apikey, trusted profile has been introduced in IAM for a few years already and adopted by many cloud services with below benefits.the primary use case will be: in
terraform.tfvars,trusted_profile_idandcr_token_fileare configured (ibmcloud_api_key is no longer needed), theniam_tokenis generated from above two parameters and this token is kept refreshed regularly throughput the client session.https://github.com/IBM/go-sdk-core/blob/main/core/container_authenticator.gois available to implement this support.trusted profile also supports association with other type of trustees besides of compute resource token, and they can be added after compute resource token is supported.
New or Affected Resource(s)
this is platform level enhancement, not associated with any service or resource. but once this authentication option is available, services supporting trusted profile can adopt and get away with apikey configuration.
Potential Terraform Configuration
References
0000