C
Coder.com8mo ago
Andrej

OpenStack provider authentication

Hi, I am trying to create a template, that creates OpenStack VM to user's own project/account. What's the best way to authenticate users to the OpenStack provider? Current solution was to pass the OpenStack app credentials as parameters to the template, but this is not suitable for production envionment. I found this , but I am not sure how to use it. Can anyone help please?
18 Replies
Codercord
Codercord8mo ago
<#1348645684760547348>
Category
Help needed
Product
Coder (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Phorcys
Phorcys7mo ago
hey, have you been able to sort this out?
Andrej
AndrejOP7mo ago
@Phorcys nope, I think this is similiar issue to this issue is there any chance of getting some sort of pre-script that would be able to set up credentials and that would be passed to the workspace parameters?
Phorcys
Phorcys7mo ago
sorry, I think I had misunderstood your issue are you trying to let users use OpenStack commands inside their template with their own token? or do you want the VM for the workspaces to be provisioned via the user's token?
matifali
matifali7mo ago
I guess the later. They are trying to provision the workspaces by using the user's token.
Andrej
AndrejOP7mo ago
yes. that was the idea but the issue with the token is that it expires. so the idea was to use the token to create credentials and then provision the workspace
Phorcys
Phorcys7mo ago
I don't think it's possible provider blocks are loaded before coder_parameters or any other resources or at least, that's what I figured out from trying something similar and that's also what the Terraform docs suggest meaning you can't pass a value from a resource to a provider, so you have no way of setting it dynamically other than via Terraform's built-in functions, or the provider itself needs to support it
Andrej
AndrejOP7mo ago
i am aware of this, but i was wondering if there is any possibility of having some sort of an init script, that would be able to do this. the scenario would be 
user creates workspace with a token -> int script creates credentials based on this token -> credentials are passed to the workspace as parameters
user deletes workspace -> credentials are loaded -> workspace is deleted
user creates workspace with a token -> int script creates credentials based on this token -> credentials are passed to the workspace as parameters
user deletes workspace -> credentials are loaded -> workspace is deleted
i am not familiar with coder codebase, so i have no idea if this is possible. rn, we create the credentials on our side and we pass them to coder, but we felt haivng it in the coder would be ideal
Phorcys
Phorcys7mo ago
well, not really, because the provisioning is handled within terraform so you'd need to defer the provisioning part to your script, but then you lose all the other capabilities you could authenticate the oc cli and then use that to create the workspace, but imo that'd be a bit overengineered what is the motive behind wanting to use the user's token to provision the workspaces?
bpmct
bpmct6mo ago
You could potentially use OIDC on OpenStack + External Auth to ask the user to link their openstack account, then pass that token to the provider: - https://docs.mirantis.com/mosk/latest/user/federation-curl.html - https://coder.com/docs/admin/external-auth
External Auth for Git Providers | Coder Docs
Learn about external authentication options in Coder. Configure and manage external provider connections for your development environment.
From An unknown user
From An unknown user
bpmct
bpmct6mo ago
It would require some pretty fancy template magic. Plus, when you push the template you'd have to have some fallback "default" user since no user is specified then Also, can definitely import parameters and other data sources into the provider block as far as I can tell
Phorcys
Phorcys6mo ago
seems like it is possible after all, my bad! i had some really weird issues trying to do stuff like this in past experiences so I just assumed you couldn't (@Andrej for visibility)
Andrej
AndrejOP6mo ago
hey, sorry i was working on some other things. I am aware of the stuff ben sent, but im not sure if i can do the "fancy template magic"
Phorcys
Phorcys6mo ago
alright, just wanted to make sure yu got the messages :-)
Andrej
AndrejOP5mo ago
do you have any hints on how to do this? In fact i am already using a fallback default user to push a template. fyi this a simple template that im using to test and develop. i have troubles understanding how to connect our OIDC provider to coder and then enable the template to access the token/credentials from there. a service that im developing is connected to oidc, so it shouldn't be that big of an issue
GitHub
GitHub - andrejcermak/coder_template_os_vm
Contribute to andrejcermak/coder_template_os_vm development by creating an account on GitHub.
Phorcys
Phorcys5mo ago
hey, sorry for the delay, this is a tricky question and getting good answers sometimes takes time
Phorcys
Phorcys5mo ago
have you tried using External Auth as ben suggested?
External Auth for Git Providers | Coder Docs
Learn about external authentication options in Coder. Configure and manage external provider connections for your development environment.
Phorcys
Phorcys5mo ago
After setting it up, you'd get the access token through the coder_external_auth data source (e.g data.coder_external_auth.openshift.access_token)

Did you find this page helpful?