Skip to content

auth_providers.md

Latest commit

 

History

History
97 lines (85 loc) · 2.96 KB

auth_providers.md

File metadata and controls

97 lines (85 loc) · 2.96 KB

Auth Providers

What is an auth provider in the context of kfutil? It's a way to source credentials needed to connect to a Keyfactor Command API from a secure location rather than a file on disk or environment variables.

Available Auth Providers

Azure Key Vault

The Azure Key Vault auth provider allows you to source credentials from an Azure Key Vault instance using Azure Managed Identity.

Configuration

Below is an example configuration for the Azure Key Vault auth provider. This can be placed in the $HOME/.keyfactor/command_config.json file and will be used by kfutil to source credentials for the Keyfactor product or service you are connecting to.

{
  "servers": {
    "default": {
      "auth_provider": {
        "type": "azid",
        "profile": "default",
        "parameters": {
          "secret_name": "kfutil-credentials",
          "vault_name": "keyfactor-command-secrets"
        }
      }
    }
  }
}

Azure Key Vault Secret Format

The format of the Azure Key Vault secret should be the same as if you were to run kfutil login and go through the interactive auth flow. Here's an example of what that would look like:

Basic Auth Example

{
  "servers": {
    "default": {
      "host": "my.kfcommand.domain",
      "username": "my_kfcommand_username",
      "password": "my_kfcommand_password",
      "domain": "my_kfcommand_domain",
      "api_path": "KeyfactorAPI"
    }
  }
}

oAuth Client Credentials Example

{
  "servers": {
    "default": {
      "host": "my.kfcommand.domain",
      "client_id": "my_oauth_client_id",
      "client_secret": "my_oauth_client_secret",
      "token_url": "https://my_oauth_token_url",
      "api_path": "Keyfactor/API"
    }
  }
}

Usage

Default

With the above configuration in placed in the default path $HOME/.keyfactor/command_config.json the utility will implicitly attempt to source credentials from the Azure Key Vault instance.

kfutil stores list
Explicit

You can also explicitly specify the auth provider to use by passing the --auth-provider flags to the utility as shown below. The file format will still be the same as above.

kfutil \
  --auth-provider-type azid \
  --auth-provider-profile default \
  --config /path/to/config/file.json \
  stores list

The above explicitly tells the utility to only attempt to use the Azure Key Vault auth provider. This mode will not fail to user interactive or environmental variable auth if provided. The example also shows how to specify a custom path to the auth provider configuration file and what profile to look for in the configuration file stored in Azure.