serverless-openwhisk icon indicating copy to clipboard operation
serverless-openwhisk copied to clipboard

Published 20 hours ago verified publisher icon serverless

Add support for IAM namespaces on IBM Cloud

Open jthomas opened this issue 5 years ago • 10 comments

Need to use custom auth plugin for new IAM-based namespaces.

https://github.com/ibm-functions/iam-token-manager-nodejs

jthomas avatar May 22 '19 11:05 jthomas

Should also provide a mechanism to add service access policies to Cloud Functions namespace for other services.

jthomas avatar May 29 '19 09:05 jthomas

I've a patch available that adds IAM, however there seems https://github.com/serverless/serverless-openwhisk/issues/167 introduced a regression, e.g. applying the patch to an earlier version works. https://github.com/serverless/serverless-openwhisk/pull/172

dpittner avatar Jun 11 '19 14:06 dpittner

@dpittner Could you open an issue with details on the regression and I'll have a look?

jthomas avatar Jun 12 '19 12:06 jthomas

I've started work on this feature. https://github.com/serverless/serverless-openwhisk/commit/9e6930f8fd8de94adbca2c5b69e0dcc5fc5a28e4

I also want to add support to use the ibmcloud iam oauth-tokens command to automatically create the token rather than having to manually provision and use API keys.

jthomas avatar Jul 05 '19 15:07 jthomas

More work on this issue has enabled support for API keys and using .bluemix/config.json for tokens (with auto-refresh).

Need to add the following....

  • [ ] Update documentation with these new features.
  • [x] Add additional checks that config file exists
  • [x] Add helpful errors messages when user is not logged in.

jthomas avatar Jul 18 '19 16:07 jthomas

This feature is blocked until IBM Cloud Functions APIGW supports configuration using IAM API keys.

jthomas avatar Jul 22 '19 16:07 jthomas

Any update on this? I don't seem to be able to create a new cloud foundry namespace any longer

bn326160 avatar Jun 19 '20 08:06 bn326160

I got it to work using a valid APIGW_ACCESS_TOKEN & IAM_NAMESPACE_API_KEY in your .wskprops or ENV variables. And then upgrading to the github version of this package: npm i git+https://github.com/serverless/serverless-openwhisk.git

bn326160 avatar Jun 22 '20 23:06 bn326160

@bn326160 can you explain a bit further how to set the valid token and api key in .wskprops. My .wskprops looks like this: image

I am getting this error when deploying: Failed to deploy function (myservice-dev-hello) due to error: PUT https://us-south.functions.cloud.ibm.com/api/v1/namespaces/_/actions/myservice-dev-hello?overwrite=true Returned HTTP 401 (Unauthorized) --> "The supplied authentication is invalid"

Looking forward to your response.

Thanks

raheel-ahmad avatar Jul 16 '20 09:07 raheel-ahmad

@raheel4839 Looks like you're missing IAM_NAMESPACE_API_KEY. + Did you install the github version?

bn326160 avatar Jul 25 '20 09:07 bn326160