search

oracle / oci-go-sdk

Go SDK for Oracle Cloud Infrastructure
https://cloud.oracle.com/cloud-infrastructure
Other
178 stars 82 forks source link

OkeWorkloadIdentityConfigurationProvider looking for OCI_RESOURCE_PRINCIPAL_VERSION environment #489

Open connelly38 opened 7 months ago

connelly38 commented 7 months ago

When trying to use OKE Workload configuration provider inside an OKE cluster, I get this error:

can not create resource principal, environment variable: OCI_RESOURCE_PRINCIPAL_VERSION, not present

This is due to the code in common/auth/resource_principal_key_provider.go, line 100-ish:

if version, ok = os.LookupEnv(ResourcePrincipalVersionEnvVar); !ok { err := fmt.Errorf("can not create resource principal, environment variable: %s, not present", ResourcePrincipalVersionEnvVar) return nil, resourcePrincipalError{err: err} }

Neither the java nor the python SDKs look for this envrionment setting. Why does the go driver? I don't see any way this will work, short of me setting that environment variable manually to something like "2.2"?

I've followed all the docs to get the OKE cluster set up and the docs for go located at https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm#contengmanagingworkloads_topic-grantingworkloadaccesstoresources-golang ... but I still get this error.

I'm using oci-go-sdk as: require github.com/oracle/oci-go-sdk/v65 v65.61.2

JoshuaWR commented 7 months ago

Hi @connelly38, It seems like you do need to set that environment variable (OCI_RESOURCE_PRINCIPAL_VERSION), and you should be able to set it to what you mentioned, i.e. 2.2 . From the Python SDK, we can see on this line that it also requires this environment variable to be present for Resource Principals, and will throw an error if it is not. For your use case, are you able to set this environment variable?

connelly38 commented 7 months ago

Here's the simple example go code I'm using to test:

package main

import (
    "fmt"
    "time"

    ociauth "github.com/oracle/oci-go-sdk/v65/common/auth"
)

func main() {
    _, err := ociauth.OkeWorkloadIdentityConfigurationProvider()
    if err != nil {
        fmt.Printf("cannot create OKE provider: %v\n", err)
        return
    }
    time.Sleep(300 * time.Second)
}

When running in an OKE cluster, I get the error shown in the main bug report.

Update: with the help of Joshua Ramirez, I'm able to got further by setting the two following environments in my Dockerfile:

ENV OCI_RESOURCE_PRINCIPAL_VERSION 2.2
ENV OCI_RESOURCE_PRINCIPAL_REGION us-ashburn-1

... but why would those even be needed? This is for OKW workoad auth, not resource principal. And this isn't a solution - especially since I'd need to set the region in the dockerfile.

If those two environment variables are required, why aren't they set in the OKE Workload container environment?

stsully commented 2 weeks ago

Same issue and same questions! Are these values available in instance metadata?