Skip to content

Commit ac5d8b9

Browse files
committed
support STACKIT_FEDERATED_TOKEN_FILE
1 parent 182ff35 commit ac5d8b9

4 files changed

Lines changed: 215 additions & 203 deletions

File tree

AUTHENTICATION.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -128,4 +128,6 @@ Using this flow is less secure since the token is long-lived. You can provide th
128128
STACKIT_SERVICE_ACCOUNT_EMAIL=my-sa@sa.stackit.cloud
129129
# Optional: provide the OIDC token directly instead of auto-detecting it from the CI environment
130130
STACKIT_SERVICE_ACCOUNT_FEDERATED_TOKEN=<oidc-token>
131+
# Optional: provide a file path containing the OIDC token
132+
STACKIT_FEDERATED_TOKEN_FILE=/path/to/oidc-token.jwt
131133
```

internal/cmd/auth/activate-service-account/activate_service_account_test.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -204,4 +204,3 @@ func TestStoreCustomEndpointFlags(t *testing.T) {
204204
})
205205
}
206206
}
207-

internal/pkg/auth/oidc.go

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ const (
1212
EnvUseOIDC = "STACKIT_USE_OIDC"
1313
EnvServiceAccountEmail = "STACKIT_SERVICE_ACCOUNT_EMAIL"
1414
EnvServiceAccountFederatedToken = "STACKIT_SERVICE_ACCOUNT_FEDERATED_TOKEN" //nolint:gosec // linter false positive
15+
EnvFederatedTokenFile = "STACKIT_FEDERATED_TOKEN_FILE"
1516
EnvGitHubRequestURL = "ACTIONS_ID_TOKEN_REQUEST_URL"
1617
EnvGitHubRequestToken = "ACTIONS_ID_TOKEN_REQUEST_TOKEN" //nolint:gosec // linter false positive
1718
EnvAzureOIDCRequestURI = "SYSTEM_OIDCREQUESTURI"
@@ -38,8 +39,8 @@ func OIDCServiceAccountEmail() string {
3839

3940
// TokenFunc returns the OIDCTokenFunc to use for Workload Identity Federation.
4041
// It checks the following token sources in order: STACKIT_SERVICE_ACCOUNT_FEDERATED_TOKEN,
41-
// GitHub Actions (ACTIONS_ID_TOKEN_REQUEST_URL + ACTIONS_ID_TOKEN_REQUEST_TOKEN), and
42-
// Azure DevOps (SYSTEM_OIDCREQUESTURI + SYSTEM_ACCESSTOKEN).
42+
// STACKIT_FEDERATED_TOKEN_FILE, GitHub Actions (ACTIONS_ID_TOKEN_REQUEST_URL +
43+
// ACTIONS_ID_TOKEN_REQUEST_TOKEN), and Azure DevOps (SYSTEM_OIDCREQUESTURI + SYSTEM_ACCESSTOKEN).
4344
// Returns an error if no source is detected.
4445
func OIDCTokenFunc() (oidcadapters.OIDCTokenFunc, error) {
4546
// static token provided directly via env var
@@ -49,6 +50,11 @@ func OIDCTokenFunc() (oidcadapters.OIDCTokenFunc, error) {
4950
}, nil
5051
}
5152

53+
// token read from filesystem path via env var
54+
if tokenFilePath := os.Getenv(EnvFederatedTokenFile); tokenFilePath != "" {
55+
return oidcadapters.ReadJWTFromFileSystem(tokenFilePath), nil
56+
}
57+
5258
// GitHub Actions
5359
if ghURL := os.Getenv(EnvGitHubRequestURL); ghURL != "" {
5460
if ghToken := os.Getenv(EnvGitHubRequestToken); ghToken != "" {
@@ -65,10 +71,10 @@ func OIDCTokenFunc() (oidcadapters.OIDCTokenFunc, error) {
6571

6672
return nil, fmt.Errorf(
6773
"%s is enabled but no OIDC token source was detected\n"+
68-
"Provide the token via %s, or run in a supported CI environment:\n"+
74+
"Provide the token via %s or %s, or run in a supported CI environment:\n"+
6975
" - GitHub Actions: grant 'id-token: write' permission; %s and %s are set automatically by the runner\n"+
7076
" - Azure DevOps: pass 'SYSTEM_ACCESSTOKEN: $(System.AccessToken)' in your pipeline step",
71-
EnvUseOIDC, EnvServiceAccountFederatedToken,
77+
EnvUseOIDC, EnvServiceAccountFederatedToken, EnvFederatedTokenFile,
7278
EnvGitHubRequestURL, EnvGitHubRequestToken,
7379
)
7480
}

0 commit comments

Comments
 (0)