Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wip: configure provider with pre-signed jwt #1237

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

wip: configure provider with pre-signed jwt #1237

wants to merge 1 commit into from

Conversation

ericnorris
Copy link
Contributor

@ericnorris ericnorris commented Aug 4, 2022
edited
Loading

This is a proof-of-concept PR following okta/okta-sdk-golang#319 that demonstrates the ability to configure the provider with a pre-signed JWT. I've left some context in that PR that I will duplicate here:

As a reminder for context: we'd like to explore using the Okta Terraform provider in an environment where the private key is opaque to us, that is, we have a mechanism for signing JWTs with some private key, but we don't know the actual value of the private key, and so we cannot configure the provider (nor the SDK) with the private key directly.

I decided to split up the work into two PRs to show the most obvious way that this would be implemented, but I am open to changes that keep this localized to the provider if that makes more sense to you all.

As it is now, the changes are pretty superficial - the provider simply passes the JWT through to the SDK, which then uses it to exchange for an access token.

Per a conversation we had yesterday, I've attached a rough example of how we (Etsy) plan on calling the provider with a jwt argument.

provider "google" {}

data "google_service_account_jwt" "okta" {
  target_service_account = "[email protected]"

  payload = jsonencode({
    "aud": "https://foo.okta.com/oauth2/v1/token",
    "iss": "client-id",
    "sub": "client-id",
    "exp": 1234567890
  })
}

provider "okta" {
  jwt = data.google_service_account_jwt.okta.jwt
}

@ericnorris
wip: configure provider with pre-signed jwt
dca5383 
This is a proof-of-concept commit to demonstrate adding the ability to
specify a JWT directly rather than either an access token or private
key.

This depends on okta/okta-sdk-golang#319.
@ericnorris ericnorris mentioned this pull request Aug 4, 2022
Closed
11 tasks
@monde monde self-requested a review August 8, 2022 16:18
@monde monde added the needs-acc-test PR needs a terraform acceptance test label Aug 8, 2022
@monde
Copy link
Collaborator

monde commented Aug 8, 2022

Seems like a good idea to me, my notes from the SDK PR okta/okta-sdk-golang#319 (comment) "As the API supports this, the SDK should as well. We need to write some tests around this PR and as well as explanation and usage documentation in the README."

@github-actions github-actions bot added the stale label Oct 18, 2022
@github-actions github-actions bot closed this Oct 23, 2022
@monde monde added no-stalebot and removed stale labels Nov 30, 2022
@monde
Copy link
Collaborator

monde commented Nov 30, 2022

not stale

@monde monde reopened this Nov 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@monde monde Awaiting requested review from monde

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
needs-acc-test PR needs a terraform acceptance test no-stalebot
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ericnorris @monde