Open UgnineSirdis opened 3 months ago
The example for particular Nebius credentials initialization:
func NewNebiusCredentials(keyID string, privateKeyContent []byte, serviceAccountId string) (*credentials.Credentials, error) {
key, err := jwt.ParseRSAPrivateKeyFromPEM(privateKeyContent)
if err != nil {
return err
}
jwtTokenSourceOpts := JWTTokenSourceOptions{
SigningMethod: jwt.SigningMethodRS256,
KeyID: keyID,
PrivateKey: key,
Issuer: serviceAccountId,
Subject: serviceAccountId,
Audience: []string{"token-service.iam.new.nebiuscloud.net"},
TokenTTL: time.Hour,
}
jwtTokenSource, err := NewJWTTokenSource(jwtTokenSourceOpts)
if err != nil {
return err
}
oauth2TokenCredentialsOpts := Oauth2TokenExchangeOptions{
TokenEndpoint: "https://auth.new.nebiuscloud.net/oauth2/token/exchange",
Audience: []string{"token-service.iam.new.nebiuscloud.net"},
SubjectTokenSource: jwtTokenSource,
}
return NewOauth2TokenExchangeCredentials(oauth2TokenCredentialsOpts)
}
Merged implementation. Example of usage in go: https://github.com/ydb-platform/ydb-go-sdk/blob/master/examples/auth/oauth2_token_exchange_credentials/main.go
db, err := ydb.Open(ctx, dsn,
ydb.WithOauth2TokenExchangeCredentials(
credentials.WithTokenEndpoint(tokenEndpoint),
credentials.WithAudience(audience),
credentials.WithJWTSubjectToken(
credentials.WithSigningMethod(jwt.SigningMethodRS256),
credentials.WithKeyID(keyID),
credentials.WithRSAPrivateKeyPEMFile(privateKeyFile),
credentials.WithIssuer(issuer),
credentials.WithSubject(subject),
credentials.WithAudience(audience),
),
),
)
RFC: https://www.rfc-editor.org/rfc/rfc8693
Aim: to make a credentials provider that uses a standard oauth 2.0 token exchange protocol suitable for many clouds/systems It must support:
I suggest the following. The example is in go, but we must provide equivalent interface for other SDKs (with equivalent names of classes)