DefaultConfigProvider fails to parse encrypted private key while CLI works

[ak-emphere]

The common.DefaultConfigProvider() in the OCI Go SDK is failing to properly read an encrypted private key from the default configuration file, while the OCI CLI works correctly with the same configuration.

Environment

OCI Go SDK Version: v65.75.2 Go Version: go1.22.4 darwin/arm64

Steps to Reproduce

1. Set up an OCI configuration file at ~/.oci/config with an encrypted private key:

[DEFAULT]
user=<user_ocid>
fingerprint=<fingerprint>
key_file=<path_to_key_file> 
tenancy=<tenancy_ocid>
region=<location>
pass_phrase=<passphrase>

2. Verify OCI cli works

   oci iam compartment list

   This command succeeds and returns a list of compartments

3. Go code

package main

import (
    "fmt"
    "github.com/oracle/oci-go-sdk/v65/common"
    "github.com/oracle/oci-go-sdk/v65/identity"
)

func main() {
    configProvider := common.DefaultConfigProvider()
    ic, err := identity.NewIdentityClientWithConfigurationProvider(configProvider)
    if err != nil {
        fmt.Printf("Failed to create identity client: %v\n", err)
        return
    }
    fmt.Println("Successfully created identity client")
}

Expected Behavior The Go program should successfully create an identity client, just as the CLI is able to use the same configuration to make API calls.

Actual Behavior The Go program fails with an error:

can not create client, bad configuration: did not find a proper configuration for private key

Additional Context

• The private key is encrypted, and the passphrase is provided in the config file.
• The OCI CLI works correctly with this configuration, indicating that the file paths and permissions are correct.
• Attempts to use ConfigurationProviderFromFileWithProfile with the passphrase explicitly provided also fail.
• Attempts to use NewRawConfigurationProvider fails too with private key parsing error.

Questions

1. Does the SDK need an unencrypted private key file to be passed?
2. Are there any environment variables that need to be set for the SDK to correctly use the passphrase?
3. Is there a difference in how the CLI and the SDK read the configuration that could explain this discrepancy?

[jyotisaini]

Hi @ak-emphere - This is a known issue where Go SDK does not support encrypted PKCS8 keys. Are you also using PKCS8 keys ?

[ak-emphere]

Yes, its PKCS8 @jyotisaini . Is there a workaround I can use here?

[jyotisaini]

No We don't have a workaround. but my team is working on adding this support which is currently in testing phase. We are targeting a release by end of this month.

[ak-emphere]

Thanks for timeline . Would it be possible to link this issue to that upcoming release ? Or is there another issue i can subscribe to?

[jyotisaini]

I don't think there is another issue for this. We can link this issue with the upcoming release.