github cloudposse/atmos v1.180.0-rc.0
on GitHub

latest releases: v1.190.0-test.0, v1.190.0-rc.0, v1.189.0...
pre-release2 months ago
DEV-3258: OIDC Token Exchange @milldr (#1278) ## what

This pull request introduces significant enhancements to the AtmosProAPIClient to support GitHub OIDC token-based authentication, improve error handling, and add corresponding unit tests. The changes include the addition of new constants, error definitions, helper functions for OIDC token management, and updates to existing methods to handle the new authentication flow.

Authentication Enhancements:

  • Added support for GitHub OIDC token-based authentication as a fallback when the API token is not provided. (pkg/pro/api_client.go, pkg/pro/requests.go) [1] [2] [3]
  • Introduced helper functions getGitHubOIDCToken and exchangeOIDCTokenForAtmosToken to retrieve and exchange OIDC tokens for Atmos Pro tokens. (pkg/pro/api_client.go)

Error Handling Improvements:

  • Centralized error definitions for better maintainability and consistency. (pkg/pro/api_client.go)
  • Updated error messages across multiple methods to use formatted error constants. (pkg/pro/api_client.go) [1] [2] [3] [4] [5] [6] [7]

Configuration Updates:

  • Replaced os.Getenv with viper.GetString for environment variable management, enabling better configuration handling. (pkg/pro/api_client.go)
  • Added a new environment variable ATMOS_PRO_WORKSPACE_ID for OIDC authentication. (pkg/config/const.go)

Unit Tests:

  • Added comprehensive unit tests for OIDC authentication, including scenarios for successful authentication, fallback to API token, and failure cases. (pkg/pro/api_client_test.go)

Struct Additions:

  • Defined new request and response structs for OIDC token exchange (GitHubOIDCAuthRequest, GitHubOIDCAuthResponse, GitHubOIDCResponse). (pkg/pro/requests.go)

why

Currently all the Atmos Pro functionality reads the API token out of the environment. We should leave that in place, but should use that token second only if we can't exchange an OIDC token for an Atmos token.

references

Summary by CodeRabbit

  • New Features

    • Added support for authentication using GitHub OIDC tokens as a fallback when an API token is not set.
    • Updated default API base URL and endpoint to new Atmos Pro service addresses.
    • Enhanced error reporting with more detailed and consistent error messages during authentication and API interactions.

  • Bug Fixes

    • Improved handling of missing authentication credentials, providing clearer error messages when both OIDC and API tokens are unavailable.

  • Tests

    • Introduced new tests to validate OIDC and API token authentication flows, including fallback scenarios and error handling.
Check out latest releases or
releases around cloudposse/atmos v1.180.0-rc.0

Don't miss a new atmos release

NewReleases is sending notifications on new releases.

Get notifications