[DELA-208] Adding delegated token authentication in python client #2860
Conversation
juskeeratanand
changed the title
| :param headers: Header parameters dict to be updated. | ||
| :raises: ApiValueError if delegated token authentication fails | ||
| """ | ||
| from datetime import datetime |
There was a problem hiding this comment.
Thought: Is this necessary, or can it be rolled up into a more global import?
src/datadog_api_client/aws.py
Outdated
| :return: User agent string | ||
| """ | ||
| import platform |
There was a problem hiding this comment.
Thought: Do we need this import at the function level?
src/datadog_api_client/api_client.py
Outdated
| # Check if we have cached credentials | ||
| if not hasattr(self.configuration, "_delegated_token_credentials"): | ||
| self.configuration._delegated_token_credentials = None |
There was a problem hiding this comment.
| # Check if we have cached credentials | |
| if not hasattr(self.configuration, "_delegated_token_credentials"): | |
| self.configuration._delegated_token_credentials = None |
Looks like this variable is already initialized as None.
| # Delegated token configuration | ||
| self.delegated_token_config = None | ||
|
|
||
| # Load default values from environment |
There was a problem hiding this comment.
Looks like constructors are missing in the config for fields such as delegated_auth_provider and delegated_auth_org_uuid
src/datadog_api_client/api_client.py
Outdated
| config = DelegatedTokenConfig( | ||
| org_uuid=self.configuration.delegated_auth_org_uuid, | ||
| provider="aws", # This could be made configurable | ||
| provider_auth=self.configuration.delegated_auth_provider, | ||
| ) |
There was a problem hiding this comment.
I am not sure how often the token refreshes but we should move this up to class initialization as it seems to be a static config for the most part.
| url = get_delegated_token_url(config) | ||
|
|
||
| # Create REST client | ||
| rest_client = rest.RESTClientObject(config) |
There was a problem hiding this comment.
Can we pass the rest client initialized in the api_client? If not we should initialize this once and store it for future use
juskeeratanand
force-pushed
the
DELA-208
branch
from
570de71 to
6d3ae95
Compare
github-actions
bot
added
the
documentation
| """ | ||
| try: | ||
| token_response = json.loads(response_data) | ||
| except json.JSONDecodeError as e: |
There was a problem hiding this comment.
💭 Do we need to catch other kinds of errors here, and is there a reason we handle JSONDecodeError specifically?
There was a problem hiding this comment.
this catches when the json parsing fails which would be the most expected error, and any other errors would be caught by the outer block
| """ | ||
| try: | ||
| token_response = json.loads(response_data) | ||
| except json.JSONDecodeError as e: |
There was a problem hiding this comment.
Similar question around if we need to handle other types of errors
| "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE", | ||
| "AWS_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", | ||
| "AWS_SESSION_TOKEN": "test-session-token", |
There was a problem hiding this comment.
Note: These are the example access key values from AWS docs, including GetAccessKeyInfo
Co-authored-by: Kevin L <96131879+urnfdog@users.noreply.github.com>
Co-authored-by: Kevin L <96131879+urnfdog@users.noreply.github.com>
|
/merge |
|
View all feedbacks in Devflow UI.
This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
juskeerat.anand@datadoghq.com unqueued this merge request |
|
/remove |
|
View all feedbacks in Devflow UI.
|
dd-devflow
bot
added
mergequeue-status: removed
and removed
mergequeue-status: waiting
labels
|
/merge |
This comment was marked as outdated.
This comment was marked as outdated.
dd-devflow
bot
added
mergequeue-status: waiting
and removed
mergequeue-status: removed
labels
|
/remove |
|
View all feedbacks in Devflow UI.
|
dd-devflow
bot
added
mergequeue-status: removed
and removed
mergequeue-status: waiting
labels
|
/merge |
|
View all feedbacks in Devflow UI.
This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
This pull request was merged directly. |
dd-devflow
bot
added
mergequeue-status: waiting
and removed
mergequeue-status: removed
labels
dd-devflow
bot
added
mergequeue-status: done
and removed
mergequeue-status: waiting
labels
) * changed template files + generate * rename file * rename files to match go client * fix aws tests * fix conftest * Restore docs/datadog_api_client.rst file * regen * print header * fix headers * fix config propogation * feedback updates * rest changes * gen * update * del * fix tests * static config * update config * updates tests * update imports * config * Update src/datadog_api_client/api_client.py Co-authored-by: Kevin L <96131879+urnfdog@users.noreply.github.com> * Update src/datadog_api_client/api_client.py Co-authored-by: Kevin L <96131879+urnfdog@users.noreply.github.com> * pre-commit fixes --------- Co-authored-by: Kevin L <96131879+urnfdog@users.noreply.github.com> Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com> cb28bb6
This PR implements the work done here to add the ability to authenticate against AWS in the python client.
This is done by the client using AWS credentials to sign a request to GetCallerIdentity and then sending that signed proof to Datadog for validation. Read more about this process here. In this PR, we add the proof generation to the datadog client and add the ability to pass that token on subsequent requests.