oci-go-sdk icon indicating copy to clipboard operation
oci-go-sdk copied to clipboard

Published 20 hours ago verified publisher icon oracle

DefaultConfigProvider fails to parse encrypted private key while CLI works

Open ak-emphere opened this issue 1 year ago • 5 comments

The common.DefaultConfigProvider() in the OCI Go SDK is failing to properly read an encrypted private key from the default configuration file, while the OCI CLI works correctly with the same configuration.

Environment

OCI Go SDK Version: v65.75.2 Go Version: go1.22.4 darwin/arm64

Steps to Reproduce

  1. Set up an OCI configuration file at ~/.oci/config with an encrypted private key:
[DEFAULT]
user=<user_ocid>
fingerprint=<fingerprint>
key_file=<path_to_key_file> 
tenancy=<tenancy_ocid>
region=<location>
pass_phrase=<passphrase>
  1. Verify OCI cli works
oci iam compartment list

This command succeeds and returns a list of compartments

  1. Go code
package main

import (
    "fmt"
    "github.com/oracle/oci-go-sdk/v65/common"
    "github.com/oracle/oci-go-sdk/v65/identity"
)

func main() {
    configProvider := common.DefaultConfigProvider()
    ic, err := identity.NewIdentityClientWithConfigurationProvider(configProvider)
    if err != nil {
        fmt.Printf("Failed to create identity client: %v\n", err)
        return
    }
    fmt.Println("Successfully created identity client")
}

Expected Behavior The Go program should successfully create an identity client, just as the CLI is able to use the same configuration to make API calls.

Actual Behavior The Go program fails with an error:

can not create client, bad configuration: did not find a proper configuration for private key

Additional Context

  • The private key is encrypted, and the passphrase is provided in the config file.
  • The OCI CLI works correctly with this configuration, indicating that the file paths and permissions are correct.
  • Attempts to use ConfigurationProviderFromFileWithProfile with the passphrase explicitly provided also fail.
  • Attempts to use NewRawConfigurationProvider fails too with private key parsing error.

Questions

  1. Does the SDK need an unencrypted private key file to be passed?
  2. Are there any environment variables that need to be set for the SDK to correctly use the passphrase?
  3. Is there a difference in how the CLI and the SDK read the configuration that could explain this discrepancy?

ak-emphere avatar Oct 09 '24 20:10 ak-emphere

Hi @ak-emphere - This is a known issue where Go SDK does not support encrypted PKCS8 keys. Are you also using PKCS8 keys ?

jyotisaini avatar Oct 09 '24 20:10 jyotisaini

Yes, its PKCS8 @jyotisaini . Is there a workaround I can use here?

ak-emphere avatar Oct 09 '24 20:10 ak-emphere

No We don't have a workaround. but my team is working on adding this support which is currently in testing phase. We are targeting a release by end of this month.

jyotisaini avatar Oct 09 '24 20:10 jyotisaini

Thanks for timeline . Would it be possible to link this issue to that upcoming release ? Or is there another issue i can subscribe to?

ak-emphere avatar Oct 09 '24 20:10 ak-emphere

I don't think there is another issue for this. We can link this issue with the upcoming release.

jyotisaini avatar Oct 09 '24 20:10 jyotisaini