Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workload Identity Federation Auth #199

Merged
merged 4 commits into from
Jul 29, 2023
Merged

Workload Identity Federation Auth #199

merged 4 commits into from
Jul 29, 2023

Conversation

dadgar
Copy link
Contributor

@dadgar dadgar commented Jul 29, 2023
edited
Loading

🛠️ Description

Add the ability to authenticate using workload identity federation. This allows the SDK to source a workload credential and exchange it for an HCP service principal credential. The workload credential may be sourced from a:

  • environment variable
  • a file
  • a HTTP request
  • AWS IMDS

🔗 External Links

RFC HCP-363 and HCP-378.

👍 Definition of Done

  • SDK added
  • SDK updated
  • Tests added?
  • Docs updated?

Manual Testing

  1. On PRDE created a SP and a identity provider pointing at my PRDE AWS account
  2. Compiled and ran the following binary on PRDE (tried both IMDSv2: true and false)
package main

import (
	"crypto/tls"
	"log"

	"github.com/hashicorp/hcp-sdk-go/auth/workload"
	"github.com/hashicorp/hcp-sdk-go/config"
)

func main() {
	providerConfig := &workload.IdentityProviderConfig{
		ProviderResourceName: "iam/project/58967b2f-bc68-464e-8fb7-8e7d65b377f8/service-principal/test/workload-identity-provider/aws",
		AWS: &workload.AWSCredentialSource{
			IMDSv2: true,
		},
	}

	p, err := workload.New(providerConfig)
	if err != nil {
		log.Fatal(err)
	}

	_, err = config.NewHCPConfig(config.WithWorkloadIdentity(p), config.WithAPI("XXX.hashicorp.services", &tls.Config{}))
	if err != nil {
		log.Fatal(err)
	}

	t, err := p.Token()
	if err != nil {
		log.Fatal(err)
	}

	log.Printf("token: %#v", t)
}
  1. Printed a valid access token.

@dadgar dadgar requested review from rselbach and bcmdarroch July 29, 2023 00:00
dadgar added 4 commits July 28, 2023 20:02
@dadgar
Auth Workload Package
bda2210 
The `auth/workload` package allows retrieving credentials using workload
identity federation.
@dadgar
Fix test
943e7c7
@dadgar
Add changelog
7cf55f8
@dadgar
Linter
9f13e53
@dadgar dadgar merged commit cd65c59 into main Jul 29, 2023
@dadgar dadgar deleted the f-wif branch July 29, 2023 03:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rselbach rselbach rselbach approved these changes

@bcmdarroch bcmdarroch Awaiting requested review from bcmdarroch

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dadgar @rselbach