Skip to content

add CLI authentication support for provider configuration #1076

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

add CLI authentication support for provider configuration #1076

wants to merge 2 commits into from

Conversation

@franklouwers
Copy link

@franklouwers franklouwers commented Nov 28, 2025

Add CLI Authentication Support

Overview

This PR implements CLI-based authentication for the Terraform provider, enabling users to authenticate using credentials from the STACKIT CLI without managing separate service account credentials. This addresses a longstanding user request for seamless authentication across STACKIT tools.

Related Issues & PRs

Closes: #719
Related Discussion: #880

Dependencies:

Motivation

Users currently need to create service accounts and manage credentials separately for Terraform, even when already authenticated with the STACKIT CLI. This creates friction and complexity, especially for personal development workflows.

As highlighted in issue #719:

  • Manual token extraction is cumbersome and error-prone
  • Short token lifetimes make the current workaround barely usable for long operations
  • Personal CLI sessions provide better audit logs than shared service accounts
  • Other cloud providers (AWS, Azure, GCP) offer seamless CLI-to-Terraform authentication

Implementation

User-Facing Changes

Two new optional provider attributes:

provider "stackit" {
  cli_auth    = true          # Enable CLI authentication (default: false)
  cli_profile = "production"  # Optional: specify CLI profile (default: auto-detected)
}

Authentication Priority

The provider now follows this precedence:

  1. Explicit credentials (service_account_key, service_account_key_path, token)
  2. CLI authentication (when cli_auth = true and CLI is authenticated)
  3. Environment variables / credentials file (existing behavior via sdkauth.SetupAuth())

This ensures backward compatibility while providing a convenient default for interactive use.

Profile Resolution

When cli_profile is not specified, the provider uses:

  1. STACKIT_CLI_PROFILE environment variable
  2. ~/.config/stackit/cli-profile.txt
  3. "default" profile

Technical Details

The implementation leverages the SDK's new config.WithCLIProviderAuth() function, which:

  • Reads credentials from system keyring (or file fallback)
  • Automatically refreshes expired tokens
  • Writes refreshed tokens back to storage (bidirectional sync with CLI)
  • Handles OAuth2 token refresh flow transparently

Cross-platform credential storage:

  • macOS: Keychain
  • Linux: Secret Service (gnome-keyring, KWallet)
  • Windows: Credential Manager
  • **Fallback:**File at ~/.stackit/cli-provider-auth-storage.txt

Usage Example

Before (Current Workflow)

# Create service account
stackit service-account create --project-id=<project>

# Download credentials (long-lived token)
stackit service-account key create --service-account-email=<email> > credentials.json

# Configure Terraform
export STACKIT_SERVICE_ACCOUNT_KEY_PATH=credentials.json
terraform apply

After (With CLI Auth)

# Authenticate once
stackit auth provider login

# Configure Terraform
cat > main.tf <<EOF
provider "stackit" {
  cli_auth = true
}
EOF

terraform apply

Design Decisions

Explicit Opt-In (RFC #880 Requirement)

The feature requires cli_auth = true to avoid confusion about authentication behavior. Users must consciously enable CLI authentication, making it clear where credentials originate.

Minimal Coupling

The provider only depends on the SDK's configuration interface. All credential management, token refresh, and storage logic resides in the SDK's core/cliauth package, maintaining clean separation of concerns.

Backward Compatibility

Existing authentication methods continue to work unchanged. The new feature is purely additive, with no breaking changes to provider configuration or behavior.

Documentation Updates Needed

  • Add CLI authentication section to provider documentation
  • Update authentication guide with CLI auth workflow
  • Add troubleshooting section for CLI auth issues
  • Update examples to show CLI auth usage

Migration Path

  1. SDK PR #3865 must be merged and released
  2. CLI PR #1130 must be merged and released
  3. Update provider's go.mod to use SDK version with CLI auth support
  4. This PR can then be merged
  5. Documentation updates published
  6. Announce feature availability

Checklist

  • Issue was linked above
  • Code format was applied: make fmt
  • Examples were added / adjusted (see examples/ directory)
  • Docs are up-to-date: make generate-docs (will be checked by CI)
  • Unit tests got implemented or updated
  • Acceptance tests got implemented or updated (see e.g. here)
  • Unit tests are passing: make test (will be checked by CI)
  • No linter issues: make lint (will be checked by CI)

@franklouwers franklouwers requested a review from a team as a code owner November 28, 2025 07:49
@franklouwers
feat: add CLI authentication support for provider configuration
5872de6 
This commit adds support for CLI-based authentication in the Terraform
provider, enabling users to authenticate using credentials from the
STACKIT CLI without managing separate service account credentials.

Changes:
- Add cli_auth boolean attribute to enable CLI authentication
- Add cli_profile string attribute for profile selection
- Implement authentication priority: explicit credentials > CLI > env vars
- Integrate with SDK's WithCLIProviderAuth() configuration option

The implementation follows the explicit opt-in pattern requested in
RFC stackitcloud#880, requiring users to set cli_auth = true to enable the feature.
Profile resolution follows the standard precedence: explicit config >
STACKIT_CLI_PROFILE env var > ~/.config/stackit/cli-profile.txt > default.

This change depends on SDK PR stackitcloud/stackit-sdk-go#3865 which
adds the core CLI authentication functionality, and CLI PR
stackitcloud/stackit-cli#1130 which implements the provider credential
storage.

Closes stackitcloud#719
Related to stackitcloud#880
@franklouwers franklouwers force-pushed the feature/cli-provider-auth branch from 42832a0 to 5872de6 Compare November 28, 2025 07:56
@franklouwers
chore: add temporary replace directive for SDK CLI auth support
8a3bd78 
Add replace directive to use SDK fork with CLI authentication support
from PR stackitcloud/stackit-sdk-go#3865 until it's merged and released.

This allows the provider to be built and tested with the CLI auth
functionality before the SDK changes are officially released.

The replace directive references commit 25b6b99bd648 from
github.com/franklouwers/stackit-sdk-go/core which includes the
core/cliauth package and config.WithCLIProviderAuth() function.

Once SDK PR #3865 is merged and a new SDK version is released,
this replace directive should be removed and the provider updated
to require the new SDK version.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

has internal tracking issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@franklouwers @marceljk