Skip to content

Latest commit

 

History

History
101 lines (71 loc) · 5.16 KB

AUTHENTICATION.md

File metadata and controls

101 lines (71 loc) · 5.16 KB

Authentication Guide

This document describes how you can configure authentication for the STACKIT CLI.

Service account

You can use a service account to authenticate to the STACKIT CLI. The CLI will search for service account credentials similarly to the STACKIT SDK and STACKIT Terraform Provider, so if you have already set up your environment for those tools, you can just run:

$ stackit auth activate-service-account

You can also configure the service account credentials directly in the CLI. To get help and to get a list of the available options run the command with the -h flag.

Overview

If you don't have a service account, create one in the STACKIT Portal and assign the necessary permissions to it, e.g. owner. There are two ways to authenticate:

  • Key flow (recommended)
  • Token flow

When setting up authentication, the CLI will always try to use the key flow first and search for credentials in several locations, following a specific order:

  1. Explicitly provided credentials, e.g. by using the flag --service-account-key-path

  2. Environment variable, e.g. by setting STACKIT_SERVICE_ACCOUNT_KEY_PATH

  3. Credentials file

    The CLI will check the credentials file located in the path defined by the STACKIT_CREDENTIALS_PATH env var, if specified, or in $HOME/.stackit/credentials.json as a fallback. The credentials file should be a JSON and each credential should be set using the name of the respective environment variable, as stated below in each flow. Example:

    {
      "STACKIT_SERVICE_ACCOUNT_TOKEN": "foo_token",
      "STACKIT_SERVICE_ACCOUNT_KEY_PATH": "path/to/sa_key.json"
    }

Key flow

The following instructions assume that you have created a service account and assigned the necessary permissions to it, e.g. `owner`.

To use the key flow, you need to have a service account key, which must have an RSA key-pair attached to it.

When creating the service account key, a new RSA key-pair can be created automatically, which will be included in the service account key. This will make it much easier to configure the key flow authentication in the CLI, by just providing the service account key.

Optionally, you can provide your own private key when creating the service account key, which will then require you to also provide it explicitly to the CLI, additionally to the service account key. Check the STACKIT Knowledge Base for an example of how to create your own key-pair.

To configure the key flow, follow this steps:

  1. Create a service account key:
  • In the CLI, run stackit service-account key create --email <SERVICE_ACCOUNT_EMAIL>
  • As an alternative, use the STACKIT Portal: go to the Service Accounts tab, choose a Service Account and go to Service Account Keys to create a key. For more details, see Create a service account key
  1. Save the content of the service account key by copying it and saving it in a JSON file.

The expected format of the service account key is a json with the following structure:

{
  "id": "uuid",
  "publicKey": "public key",
  "createdAt": "2023-08-24T14:15:22Z",
  "validUntil": "2023-08-24T14:15:22Z",
  "keyType": "USER_MANAGED",
  "keyOrigin": "USER_PROVIDED",
  "keyAlgorithm": "RSA_2048",
  "active": true,
  "credentials": {
    "kid": "string",
    "iss": "my-sa@sa.stackit.cloud",
    "sub": "uuid",
    "aud": "string",
    (optional) "privateKey": "private key when generated by the SA service"
  }
}
  1. Configure the service account key for authentication in the CLI by following one of the alternatives below:

    • using the flag --service-account-key-path
    • setting the environment variable STACKIT_SERVICE_ACCOUNT_KEY_PATH
    • setting STACKIT_SERVICE_ACCOUNT_KEY_PATH in the credentials file (see above)

Optionally, only if you have provided your own RSA key-pair when creating the service account key, you also need to configure your private key (takes precedence over the one included in the service account key, if present). The private key must be PEM encoded and can be provided using one of the options below:

  • using the flag --private-key-path
  • setting the environment variable STACKIT_PRIVATE_KEY_PATH
  • setting STACKIT_PRIVATE_KEY_PATH in the credentials file (see above)
  1. The CLI will search for the keys and, if valid, will use them to get access and refresh tokens which will be used to authenticate all the requests.

Token flow

Using this flow is less secure since the token is long-lived. You can provide the token in several ways:

  1. Providing the flag --service-account-token
  2. Setting the environment variable STACKIT_SERVICE_ACCOUNT_TOKEN
  3. Setting STACKIT_SERVICE_ACCOUNT_TOKEN in the credentials file (see above)