OpenStack provider authentication

Hi, I am trying to create a template, that creates OpenStack VM to user's own project/account. What's the best way to authenticate users to the OpenStack provider? Current solution was to pass the OpenStack app credentials as parameters to the template, but this is not suitable for production envionment. I found this , but I am not sure how to use it. Can anyone help please?
12 Replies
Codercord
Codercord2mo ago
<#1348645684760547348>
Category
Help needed
Product
Coder (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Phorcys
Phorcys2mo ago
hey, have you been able to sort this out?
Andrej
AndrejOP2mo ago
@Phorcys nope, I think this is similiar issue to this issue is there any chance of getting some sort of pre-script that would be able to set up credentials and that would be passed to the workspace parameters?
Phorcys
Phorcys2mo ago
sorry, I think I had misunderstood your issue are you trying to let users use OpenStack commands inside their template with their own token? or do you want the VM for the workspaces to be provisioned via the user's token?
Atif
Atif2mo ago
I guess the later. They are trying to provision the workspaces by using the user's token.
Andrej
AndrejOP2mo ago
yes. that was the idea but the issue with the token is that it expires. so the idea was to use the token to create credentials and then provision the workspace
Phorcys
Phorcys4w ago
I don't think it's possible provider blocks are loaded before coder_parameters or any other resources or at least, that's what I figured out from trying something similar and that's also what the Terraform docs suggest meaning you can't pass a value from a resource to a provider, so you have no way of setting it dynamically other than via Terraform's built-in functions, or the provider itself needs to support it
Andrej
AndrejOP4w ago
i am aware of this, but i was wondering if there is any possibility of having some sort of an init script, that would be able to do this. the scenario would be
user creates workspace with a token -> int script creates credentials based on this token -> credentials are passed to the workspace as parameters
user deletes workspace -> credentials are loaded -> workspace is deleted
user creates workspace with a token -> int script creates credentials based on this token -> credentials are passed to the workspace as parameters
user deletes workspace -> credentials are loaded -> workspace is deleted
i am not familiar with coder codebase, so i have no idea if this is possible. rn, we create the credentials on our side and we pass them to coder, but we felt haivng it in the coder would be ideal
Phorcys
Phorcys3w ago
well, not really, because the provisioning is handled within terraform so you'd need to defer the provisioning part to your script, but then you lose all the other capabilities you could authenticate the oc cli and then use that to create the workspace, but imo that'd be a bit overengineered what is the motive behind wanting to use the user's token to provision the workspaces?
bpmct
bpmct3d ago
You could potentially use OIDC on OpenStack + External Auth to ask the user to link their openstack account, then pass that token to the provider: - https://docs.mirantis.com/mosk/latest/user/federation-curl.html - https://coder.com/docs/admin/external-auth
External Auth for Git Providers | Coder Docs
Learn about external authentication options in Coder. Configure and manage external provider connections for your development environment.
From An unknown user
From An unknown user
bpmct
bpmct3d ago
It would require some pretty fancy template magic. Plus, when you push the template you'd have to have some fallback "default" user since no user is specified then Also, can definitely import parameters and other data sources into the provider block as far as I can tell
Phorcys
Phorcys2d ago
seems like it is possible after all, my bad! i had some really weird issues trying to do stuff like this in past experiences so I just assumed you couldn't

Did you find this page helpful?