Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support configuring trusted profile for authentication #5799

Open
JunliWang opened this issue Nov 18, 2024 · 0 comments
Open

feat: support configuring trusted profile for authentication #5799

JunliWang opened this issue Nov 18, 2024 · 0 comments
Labels
enhancement

Comments

@JunliWang
Copy link
Contributor

JunliWang commented Nov 18, 2024
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

today's providee requires ibmcloud_api_key to be configured to authenticate with the cloud and run all service clients.
To address security issues from apikey, trusted profile has been introduced in IAM for a few years already and adopted by many cloud services with below benefits.

  • user does not need to create any credential or store the plain text somewhere(even if in a secure place)
  • user does not need to rotate the credential regularly
  • user does not need to worry about credential exposure or leak.

the primary use case will be:
in terraform.tfvars, trusted_profile_id and cr_token_file are configured (ibmcloud_api_key is no longer needed), then iam_token is generated from above two parameters and this token is kept refreshed regularly throughput the client session.
https://github.com/IBM/go-sdk-core/blob/main/core/container_authenticator.go is available to implement this support.

trusted profile also supports association with other type of trustees besides of compute resource token, and they can be added after compute resource token is supported.

  • user
  • service-id
  • cloud service

New or Affected Resource(s)

this is platform level enhancement, not associated with any service or resource.
but once this authentication option is available, services supporting trusted profile can adopt and get away with apikey configuration.

  • ibm_XXXXX

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

  • #0000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JunliWang