New authentication method option: ephemeral

Open jerome-jutteau opened this issue 4 years ago • 0 comments

As a osc-cli user, for compliance reasons, I must:

Use ephemeral Access Keys (AK with a lifetime limit which could be pretty short e.g. 1 hour)
Not store my login and my passphrase on a persistent storage
Be able to use osc-cli regularly without having to provide my login/password at each osc-cli invocation (useful for mind safety and automation)

Currently, we have two authentication methods: password or accesskey. This issue introduces a new authentication method: ephemeral.

When --authentication-method=ephemeral is passed, osc-cli will use a login/passphrase in order to create an ephemeral Access Key which will be used and stored in a ramdisk such as /tmp/.osc-cli-profilename.json (chmod 600). With this option, osc-cli will also ignore Access Key provided in config file.

On later use, osc-cli (with --authentication-method=ephemeral) will use the Access Key from this file without needing a password until the Access Key expire.

Future steps (not in this issue):

Add interactive passphrase prompt option
Automatically renew ephemeral Access Key before it expires

Apr 29 '21 08:04 jerome-jutteau