oci-ruby-sdk icon indicating copy to clipboard operation
oci-ruby-sdk copied to clipboard

Published 20 hours ago verified publisher icon oracle

Support authentication_type=security_token

Open b-dean opened this issue 2 years ago • 3 comments

We use oci session authenticate with the environment variable OCI_CLI_AUTH=security_token set. This means our ~/.oci/config file doesn't actually have a setting for user, which causes the config validation to fail.

[DEFAULT]
fingerprint =<your_fingerprint>
key_file = /home/someone/.oci/sessions/DEFAULT/oci_api_key.pem
tenancy = ocid1.tenancy.oc1..<unique_ID>
region = us-ashburn-1
security_token_file = /home/someone/.oci/sessions/DEFAULT/token

This means that I have to make some other OCI user and manage keys in order to get the ruby sdk to work. So things like @stephenpearson's kitchen-oci won't work with my normal authentication methods.

Other SDKs handle this security token auth just fine. (Notably oci-python-sdk, used by oci-cli; and oci-go-sdk used by terraform-provider-oci and packer-plugin-oracle.)

b-dean avatar Aug 19 '22 19:08 b-dean

so I fiddled with this a bit and figured out a way to do it, but it's ugly

require 'oci'

profile = ENV['OCI_CLI_PROFILE'] || 'DEFAULT'
config = OCI::ConfigFileLoader.load_config(profile_name: profile)

pkey_content = IO.read(config.key_file).strip
pkey = OpenSSL::PKey::RSA.new(pkey_content, config.pass_phrase)

# OCI::Config doesn't have any accessor for security_token_file
token = IO.read(File.expand_path("~/.oci/sessions/#{profile}/token")).strip

signer = OCI::Auth::Signers::SecurityTokenSigner.new(token, pkey)

identity = OCI::Identity::IdentityClient.new(config: config, signer: signer)
puts identity.list_regions.data

It would be nice if the sdk supported security_token for an authentication type, in OCI::Signer.config_file_auth_builder(config), here, but based on these docs on session auth and sdk use, it seems like we are expected to configure the signers ourselves. Looking at other sdks, oci-python-sdk doesn't support it, neither does oci-go-sdk. :unamused:

b-dean avatar Sep 07 '22 16:09 b-dean

@b-dean cc @ZiyaoQiao The Go SDK supports the Session based Authentication. The public docs are pending an update. Go SDK example: https://github.com/oracle/oci-go-sdk/blob/master/example/example_securityTokenBasedAuth_test.go Python SDK supports this authentication in a similar fashion that you have come up with. Read more at: https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/clitoken.htm#:~:text=%2D%2Dauth%20security_token-,For%20SDKs,-To%20run%20SDKs

github-anurag avatar Sep 07 '22 16:09 github-anurag 

module OCI
  class Config
    attr_accessor :security_token_file
  end
end

... config.security_token_file ...

Slight change so you don't have to hard code the token path in the above code.

msg7086 avatar Aug 16 '24 00:08 msg7086