search
Home

Dynamic Provider Credentials

circle-info

This feature is available from version 2.21.0

hashtag
Generate Public and Private Key.

To use Dynamic Provider credentials we need to genera a public and private key that will be use to generate a validate the federated tokens, we can use the following commands

openssl genrsa -out private_temp.pem 2048
openssl rsa -in private_temp.pem -outform PEM -pubout -out public.pem

You need to make sure the private key starts with "-----BEGIN PRIVATE KEY-----" if not the following command can be used to transform the private key to the correct format

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private_temp.pem -out private.pem

The public and private key need to be mounted inside the container and the path should be specify in the following environment variables

  • DynamicCredentialPublicKeyPath

  • DynamicCredentialPrivateKeyPath

hashtag
Public Endpoints Requirements

To use Dynamic Provider credentials the following public endpoints were added. This endpoint needs to be accessible for your different cloud providers.

GET https://TERRAKUBE.MYSUPERDOMAIN.COM/.well-known/openid-configuration
{
  "issuer": "https://TERRAKUBE.MYSUPERDOMAIN.COM",
  "jwks_uri": "https://TERRAKUBE.MYSUPERDOMAIN.COM/.well-known/jwks",
  "response_types_supported": [
    "id_token"
  ],
  "claims_supported": [
    "sub",
    "aud",
    "exp",
    "iat",
    "iss",
    "jti",
    "terrakube_workspace_id",
    "terrakube_organization_id",
    "terrakube_job_id"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "public"
  ]
}

hashtag
Terrakube Environment Variables:

The following environment variables can be used to customize the dynamic credentials configuration:

  • DynamicCredentialId = This will be the kid in the JWKS endpoint (Default value: 03446895-220d-47e1-9564-4eeaa3691b42)

  • DynamicCredentialTtl= The TTL for the federated token generated internally in Terrakube (Defafult: 30)

  • DynamicCredentialPublicKeyPath= The path to the public key to validate the federated tokens

  • DynamicCredentialPrivateKeyPath=The path to the private key to generate the federated tokens

hashtag
Token structure

Terrakube will generate a JWT token internally, this token will be used to authenticate to your cloud provider.

The token structure looks like the following for Azure

The token structure looks like the following for GCP

The token structure looks like the following for AWS

PreviousVariablesNextAWS Dynamic Provider Credentials

Was this helpful?