Skip to content

feat(ContainerAuthenticator): enhance ContainerAuthenticator to support Code Engine workload #218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 7, 2025
Merged

feat(ContainerAuthenticator): enhance ContainerAuthenticator to support Code Engine workload #218

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions Authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -317,10 +317,10 @@ service = ExampleServiceV1.new_instance(service_name='example_service')
## Container Authentication
The `ContainerAuthenticator` is intended to be used by application code
running inside a compute resource managed by the IBM Kubernetes Service (IKS)
in which a secure compute resource token (CR token) has been stored in a file
within the compute resource's local file system.
or IBM Cloud Code Engine in which a secure compute resource token (CR token)
has been stored in a file within the compute resource's local file system.
The CR token is similar to an IAM apikey except that it is managed automatically by
the compute resource provider (IKS).
the compute resource provider (IKS or Code Engine).
This allows the application developer to:
- avoid storing credentials in application code, configuration files or a password vault
- avoid managing or rotating credentials
Expand All @@ -340,7 +340,9 @@ The IAM access token is added to each outbound request in the `Authorization` he

- cr_token_filename: (optional) The name of the file containing the injected CR token value.
If not specified, then the authenticator will first try `/var/run/secrets/tokens/vault-token`
and then `/var/run/secrets/tokens/sa-token` as the default value (first file found is used).
and then `/var/run/secrets/tokens/sa-token` and finally
`/var/run/secrets/codeengine.cloud.ibm.com/compute-resource-token/token` as the default value
(first file found is used).
The application must have `read` permissions on the file containing the CR token value.

- iam_profile_name: (optional) The name of the linked trusted IAM profile to be used when obtaining the
Expand Down
15 changes: 10 additions & 5 deletions ibm_cloud_sdk_core/token_managers/container_token_manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# coding: utf-8

# Copyright 2021, 2024 IBM All Rights Reserved.
# Copyright 2021, 2025 IBM All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -53,8 +53,9 @@ class ContainerTokenManager(IAMRequestBasedTokenManager):
This can be used to obtain an access token with a specific scope.

Keyword Args:
cr_token_filename: The name of the file containing the injected CR token value
(applies to IKS-managed compute resources). Defaults to "/var/run/secrets/tokens/vault-token".
cr_token_filename: The name of the file containing the injected CR token value. Defaults to
"/var/run/secrets/tokens/vault-token", or "/var/run/secrets/tokens/sa-token" and
"/var/run/secrets/codeengine.cloud.ibm.com/compute-resource-token/token" when not provided.
iam_profile_name: The name of the linked trusted IAM profile to be used when obtaining the IAM access token
(a CR token might map to multiple IAM profiles).
One of iam_profile_name or iam_profile_id must be specified.
Expand Down Expand Up @@ -82,6 +83,7 @@ class ContainerTokenManager(IAMRequestBasedTokenManager):

DEFAULT_CR_TOKEN_FILENAME1 = '/var/run/secrets/tokens/vault-token'
DEFAULT_CR_TOKEN_FILENAME2 = '/var/run/secrets/tokens/sa-token'
DEFAULT_CR_TOKEN_FILENAME3 = '/var/run/secrets/codeengine.cloud.ibm.com/compute-resource-token/token'

def __init__(
self,
Expand Down Expand Up @@ -129,11 +131,14 @@ def retrieve_cr_token(self) -> str:
# If the user specified a filename, then use that.
cr_token = self.read_file(self.cr_token_filename)
else:
# If the user didn't specify a filename, then try our two defaults.
# If the user didn't specify a filename, then try our three defaults.
try:
cr_token = self.read_file(self.DEFAULT_CR_TOKEN_FILENAME1)
except:
cr_token = self.read_file(self.DEFAULT_CR_TOKEN_FILENAME2)
try:
cr_token = self.read_file(self.DEFAULT_CR_TOKEN_FILENAME2)
except:
cr_token = self.read_file(self.DEFAULT_CR_TOKEN_FILENAME3)
return cr_token
except Exception as ex:
# pylint: disable=broad-exception-raised
Expand Down