Support authentication_type=security_token

oracle / oci-ruby-sdk

Ruby SDK for Oracle Cloud Infrastructure

https://cloud.oracle.com/cloud-infrastructure

Other

25 stars 22 forks source link

Support authentication_type=security_token #70

Open b-dean opened 2 years ago

b-dean commented 2 years ago

We use oci session authenticate with the environment variable OCI_CLI_AUTH=security_token set. This means our ~/.oci/config file doesn't actually have a setting for user, which causes the config validation to fail.

[DEFAULT]
fingerprint =<your_fingerprint>
key_file = /home/someone/.oci/sessions/DEFAULT/oci_api_key.pem
tenancy = ocid1.tenancy.oc1..<unique_ID>
region = us-ashburn-1
security_token_file = /home/someone/.oci/sessions/DEFAULT/token

This means that I have to make some other OCI user and manage keys in order to get the ruby sdk to work. So things like @stephenpearson's kitchen-oci won't work with my normal authentication methods.

Other SDKs handle this security token auth just fine. (Notably oci-python-sdk, used by oci-cli; and oci-go-sdk used by terraform-provider-oci and packer-plugin-oracle.)

b-dean commented 2 years ago

so I fiddled with this a bit and figured out a way to do it, but it's ugly

require 'oci'

profile = ENV['OCI_CLI_PROFILE'] || 'DEFAULT'
config = OCI::ConfigFileLoader.load_config(profile_name: profile)

pkey_content = IO.read(config.key_file).strip
pkey = OpenSSL::PKey::RSA.new(pkey_content, config.pass_phrase)

# OCI::Config doesn't have any accessor for security_token_file
token = IO.read(File.expand_path("~/.oci/sessions/#{profile}/token")).strip

signer = OCI::Auth::Signers::SecurityTokenSigner.new(token, pkey)

identity = OCI::Identity::IdentityClient.new(config: config, signer: signer)
puts identity.list_regions.data

It would be nice if the sdk supported security_token for an authentication type, in OCI::Signer.config_file_auth_builder(config), here, but based on these docs on session auth and sdk use, it seems like we are expected to configure the signers ourselves. Looking at other sdks, oci-python-sdk doesn't support it, neither does oci-go-sdk. :unamused:

github-anurag commented 2 years ago

@b-dean cc @ZiyaoQiao The Go SDK supports the Session based Authentication. The public docs are pending an update. Go SDK example: https://github.com/oracle/oci-go-sdk/blob/master/example/example_securityTokenBasedAuth_test.go Python SDK supports this authentication in a similar fashion that you have come up with. Read more at: https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/clitoken.htm#:~:text=%2D%2Dauth%20security_token-,For%20SDKs,-To%20run%20SDKs

msg7086 commented 1 month ago

module OCI
  class Config
    attr_accessor :security_token_file
  end
end

... config.security_token_file ...

Slight change so you don't have to hard code the token path in the above code.