[DELA-208] Adding delegated token authentication in python client #2860
Conversation
juskeeratanand
changed the title
| :param headers: Header parameters dict to be updated. | ||
| :raises: ApiValueError if delegated token authentication fails | ||
| """ | ||
| from datetime import datetime |
There was a problem hiding this comment.
Thought: Is this necessary, or can it be rolled up into a more global import?
src/datadog_api_client/aws.py
Outdated
| :return: User agent string | ||
| """ | ||
| import platform |
There was a problem hiding this comment.
Thought: Do we need this import at the function level?
src/datadog_api_client/api_client.py
Outdated
| # Check if we have cached credentials | ||
| if not hasattr(self.configuration, "_delegated_token_credentials"): | ||
| self.configuration._delegated_token_credentials = None |
There was a problem hiding this comment.
| # Check if we have cached credentials | |
| if not hasattr(self.configuration, "_delegated_token_credentials"): | |
| self.configuration._delegated_token_credentials = None |
Looks like this variable is already initialized as None.
| # Delegated token configuration | ||
| self.delegated_token_config = None | ||
|
|
||
| # Load default values from environment |
There was a problem hiding this comment.
Looks like constructors are missing in the config for fields such as delegated_auth_provider and delegated_auth_org_uuid
src/datadog_api_client/api_client.py
Outdated
| config = DelegatedTokenConfig( | ||
| org_uuid=self.configuration.delegated_auth_org_uuid, | ||
| provider="aws", # This could be made configurable | ||
| provider_auth=self.configuration.delegated_auth_provider, | ||
| ) |
There was a problem hiding this comment.
I am not sure how often the token refreshes but we should move this up to class initialization as it seems to be a static config for the most part.
| url = get_delegated_token_url(config) | ||
|
|
||
| # Create REST client | ||
| rest_client = rest.RESTClientObject(config) |
There was a problem hiding this comment.
Can we pass the rest client initialized in the api_client? If not we should initialize this once and store it for future use
juskeeratanand
force-pushed
the
DELA-208
branch
from
570de71 to
6d3ae95
Compare
github-actions
bot
added
the
documentation
| """ | ||
| try: | ||
| token_response = json.loads(response_data) | ||
| except json.JSONDecodeError as e: |
There was a problem hiding this comment.
💭 Do we need to catch other kinds of errors here, and is there a reason we handle JSONDecodeError specifically?
| if auth_setting["in"] == "header": | ||
| if auth_setting["type"] != "http-signature": |
There was a problem hiding this comment.
Nit:
| if auth_setting["in"] == "header": | |
| if auth_setting["type"] != "http-signature": | |
| if auth_setting["in"] == "header" && auth_setting["type"] != "http-signature": |
| # Use regular authentication | ||
| for auth in self.settings["auth"]: | ||
| auth_setting = self.api_client.configuration.auth_settings().get(auth) | ||
| if auth_setting: |
There was a problem hiding this comment.
Nit: Can make this a guard clause if we want to avoid one level of nesting. But not necessary.
| if auth_setting: | |
| if not auth_setting: | |
| continue |
| """ | ||
| try: | ||
| token_response = json.loads(response_data) | ||
| except json.JSONDecodeError as e: |
There was a problem hiding this comment.
Similar question around if we need to handle other types of errors
| "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE", | ||
| "AWS_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", | ||
| "AWS_SESSION_TOKEN": "test-session-token", |
There was a problem hiding this comment.
Note: These are the example access key values from AWS docs, including GetAccessKeyInfo
4 participants
This PR implements the work done here to add the ability to authenticate against AWS in the python client.
This is done by the client using AWS credentials to sign a request to GetCallerIdentity and then sending that signed proof to Datadog for validation. Read more about this process here. In this PR, we add the proof generation to the datadog client and add the ability to pass that token on subsequent requests.