Closed ghost closed 6 years ago
stack72
commented
6 years ago Hi @alaslums
I am working on this right now - I am happy to report that I have just got it working for 1 of the 2 authentication scenarios we support - so we are on the right path!
Paul
stack72
commented
6 years ago Hi @alaslums
Just a FYI, I opened the following PR that adds support for this to triton-go, as soon as this is merged, I will update the SDK and the docs here
I also need to add a specific example for this and document some of the ENV vars and policies needed to run it :)
Paul
stack72
commented
6 years ago
Hi There,
Triton/SDC supports RBAC users, such that you can have a master account and then sub-users of that account, with fine grained permissions.
This works with the sdc and triton cli, but it looks like it doesn't with the terraform provider:
$ env|grep SDC SDC_URL=https://eu-ams-1.api.joyent.com SDC_ACCOUNT=XXXX SDC_USER=YYYY SDC_KEY_ID=MD5:ZZZZ
$ triton instance create --name=foobar ubuntu-16.04 g4-highcpu-128M Creating instance foobar (XXXX, ubuntu-16.04@20170403)
$ triton instance list SHORTID NAME IMG STATE FLAGS AGE cb192730 foobar ubuntu-16.04@20170403 provisioning - 9s
When using Terraform, it errors out:
triton_machine.container-ubuntu1: Error executing Create request: InvalidCredentials: Invalid authorization credentials supplied
And indeed the terraform provider source code doesn't mention SDC_USER at all:
$ grep -r SDC_ACC | wc -l 22 $ grep -r SDC_USER | wc -l 0
This limits the use of the terraform provider in environments that wish to use RBAC sub accounts, and forces the use of the main master account at all times.