Skip to content

core: Add STACKIT CLI Auth flow #2179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

core: Add STACKIT CLI Auth flow #2179

wants to merge 13 commits into from

Conversation

jkroepke
Copy link
Contributor

@jkroepke jkroepke commented May 8, 2025
edited
Loading

Description

relates to stackitcloud/terraform-provider-stackit#719

This PR adds the ability to obtain a token from a locally installed CLI. This is great for local development, where a real user is logged in via the CLI, and other STACKIT-related tools like the Terraform provider can use the token from the authenticated CLI context to make additional requests against the STACKIT API.

While developing this feature, I found stackitcloud/stackit-cli#736.

Due limited STACKIT access, tests with real human accounts can not be done by myself.

The Stackit CLI flow is enabled by default. There is an option to disable the cli flow. On CLI itself, the option should set to false to prevent infinite loops.

The path of the STACKIT CLI is not configurable. The SDK expects the CLI to be available within the system PATH. I modified the Github Action to ensure that the Stackit CLI is present.

Tests are using a custom CLI profile to avoid interrupting the local default configuration.

Code inspired from https://github.com/Azure/azure-sdk-for-go/blob/f4b3a417e0bc39a5051028c4f9d0fc36bc612317/sdk/azidentity/azure_cli_credential.go#L119-L166

Checklist

  • Issue was linked above
  • No generated code was adjusted manually (check comments in file header)
  • Changelogs
    • Changelog in the root directory was adjusted (see here)
    • Changelog(s) of the service(s) were adjusted (see e.g. here)
  • Code format was applied: make fmt
  • Examples were added / adjusted (see examples/ directory)
  • Unit tests got implemented or updated
  • Unit tests are passing: make test (will be checked by CI)
  • No linter issues: make lint (will be checked by CI)

@jkroepke
core: Add STACKIT CLI Auth flow
8b757b1 
Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>
@jkroepke jkroepke force-pushed the stackit-cli-flow branch from e636b31 to 0575554 Compare May 8, 2025 22:32
BackInBash
BackInBash reviewed May 9, 2025
View reviewed changes
Copy link
Member

@BackInBash BackInBash left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution.

I left a comment regarding the GitHub Workflow dependency

jkroepke
jkroepke commented May 9, 2025
View reviewed changes
jkroepke
jkroepke commented May 9, 2025
View reviewed changes
@jkroepke jkroepke force-pushed the stackit-cli-flow branch from 0c89b32 to 598c71f Compare May 9, 2025 18:52
@jkroepke
Replace jkroepke/setup-stackit-cli
765f60b 
Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>
@jkroepke jkroepke force-pushed the stackit-cli-flow branch from 598c71f to 765f60b Compare May 9, 2025 18:53
@github-actions GitHub Actions
Copy link

This PR was marked as stale after 7 days of inactivity and will be closed after another 7 days of further inactivity. If this PR should be kept open, just add a comment, remove the stale label or push new commits to it.

@github-actions github-actions bot added the Stale label May 17, 2025
@rubenhoenle rubenhoenle removed the Stale label May 20, 2025
marceljk
marceljk reviewed May 21, 2025
View reviewed changes
Copy link
Contributor

@marceljk marceljk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks very good and works as expected. 😃 Can you just update the date of the changelog?

jkroepke and others added 3 commits May 21, 2025 17:11
@jkroepke @marceljk
Update core/CHANGELOG.md
ff92b61 
Co-authored-by: Marcel Jacek <72880145+marceljk@users.noreply.github.com>
@jkroepke @marceljk
Update CHANGELOG.md
a1154da 
Co-authored-by: Marcel Jacek <72880145+marceljk@users.noreply.github.com>
@jkroepke
Merge branch 'main' into stackit-cli-flow
57a45bb
@jkroepke
Copy link
Contributor Author

@marceljk Done and thanks for the additional testing.

Keep in mind to set DisableCLIAuthFlow: true in the STACKIT CLI to avoid auth loops.

@marceljk
Copy link
Contributor

@jkroepke We just discussed the field DisableCLIAuthFlow: true in our team and we would prefer that we have to enable the CLIAuthFlow by setting it to true and that it is disabled by default.
This would avoid unexpected behavior for people who are not aware of the CLIAuthFlow and since you then have to enable the option, you automatically become aware of it.

@jkroepke
Copy link
Contributor Author

jkroepke commented May 22, 2025
edited
Loading

Hi @marceljk

I would have a different sight on that:

On the Azure SDK, it's enabled by default. This at least guarantees that CLI authentication is always available, even for third-party programs like Prometheus, Terraform. And it's documented:
https://learn.microsoft.com/en-us/azure/developer/go/sdk/authentication/authentication-overview

The AWS SDK works in a similar way. An authenticated CLI is sufficient for the Terraform provider. That is great for local development where I can use a personal account to run terraform locally.

From an end-user perspective, I would assume that CLI authentication is enabled by default.

So I wound recommend that CLI Auth Flow is part of the Standard Credential Chain.

But I respect your decision and have changed it as requested.

@jkroepke
Replace DisableCLIAuthFlow with CLIAuthFlow
60aea17 
Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>
@jkroepke jkroepke force-pushed the stackit-cli-flow branch from 2fd910a to 60aea17 Compare May 22, 2025 09:57
@marceljk
Copy link
Contributor

Hi @jkroepke,

that's a good point that the CLI authentication is by default always available and even for third-party programs. We will discuss it again internal, what's the better option here and will come back to you.

@github-actions GitHub Actions
Copy link

This PR was marked as stale after 7 days of inactivity and will be closed after another 7 days of further inactivity. If this PR should be kept open, just add a comment, remove the stale label or push new commits to it.

@github-actions github-actions bot added the Stale label May 30, 2025
@marceljk marceljk removed the Stale label May 30, 2025
@marceljk
Copy link
Contributor

marceljk commented Jun 2, 2025

Hi @jkroepke,
I just want to inform you, that we have still a look into this. I will inform you as soon as we have new information

@github-actions GitHub Actions
Copy link

This PR was marked as stale after 7 days of inactivity and will be closed after another 7 days of further inactivity. If this PR should be kept open, just add a comment, remove the stale label or push new commits to it.

@github-actions github-actions bot added the Stale label Jun 10, 2025
@marceljk marceljk removed the Stale label Jun 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BackInBash BackInBash BackInBash left review comments

@marceljk marceljk marceljk left review comments

@bahkauv70 bahkauv70 Awaiting requested review from bahkauv70

@Fyusel Fyusel Awaiting requested review from Fyusel Fyusel is a code owner

@rubenhoenle rubenhoenle Awaiting requested review from rubenhoenle rubenhoenle is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jkroepke @marceljk @BackInBash @rubenhoenle