From c7145690ca38aa41a59fea0db38189232aa1c26f Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Tue, 10 Feb 2026 21:21:04 +0100 Subject: [PATCH 1/4] chore: Update docs to reflect the new WIF flow Signed-off-by: Jorge Turrado --- README.md | 45 ++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 40 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 49e5f1c77..f332a1eac 100644 --- a/README.md +++ b/README.md @@ -103,15 +103,20 @@ To authenticate with the SDK, you need a [service account](https://docs.stackit. ### Authentication Methods -The SDK supports two authentication methods: +The SDK supports three authentication methods: -1. **Key Flow** (Recommended) +1. **Workload Identity Federation Flow** (Recommended) + + - Uses OIDC trusted tokens + - Provides best security through short-lived tokens without secrets + +2. **Key Flow** - Uses RSA key-pair based authentication - Provides better security through short-lived tokens - Supports both STACKIT-generated and custom key pairs -2. **Token Flow** +3. **Token Flow** (Deprecated) - Uses long-lived service account tokens - Simpler but less secure @@ -120,10 +125,40 @@ The SDK supports two authentication methods: The SDK searches for credentials in the following order: 1. Explicit configuration in code -2. Environment variables (KEY_PATH for KEY) +2. Environment variables 3. Credentials file (`$HOME/.stackit/credentials.json`) -For each authentication method, the key flow is attempted first, followed by the token flow. +For each authentication method, the try order is: +1. Workload Identity Federation Flow +2. Key Flow +3. Token Flow + +### Using the Workload Identity Fedearion Flow + +1. Create a service account trusted relation in the STACKIT Portal: + + - Navigate to `Service Accounts` → Select account → `Federated Identity Providers` + - [Configure a Federated Identity Provider](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/how-tos/manage-service-account-federations/#create-a-federated-identity-provider) and the required assertions to trust in. + +2. Configure authentication using any of these methods: + + **A. Code Configuration** + +```go +// Using wokload identity federation flow +config.WithWorkloadIdentityFederationAuth() +// With the custom path for the external OIDC token +config.WithWorkloadIdentityFederationPath("/path/to/your/federated/token") +// For the service account +config.WithServiceAccountEmail("my-sa@sa-stackit.cloud") +``` +**B. Environment Variables** +```bash +# With the custom path for the external OIDC token +STACKIT_FEDERATED_TOKEN_FILE=/path/to/your/federated/token +# For the service account +STACKIT_SERVICE_ACCOUNT_EMAIL=my-sa@sa-stackit.cloud +``` ### Using the Key Flow From 72e851032617b9e4a8d78e361af07faa976afd61 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Ferrero Date: Sun, 15 Feb 2026 22:43:23 +0100 Subject: [PATCH 2/4] feedback --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f332a1eac..a3057cbec 100644 --- a/README.md +++ b/README.md @@ -105,7 +105,7 @@ To authenticate with the SDK, you need a [service account](https://docs.stackit. The SDK supports three authentication methods: -1. **Workload Identity Federation Flow** (Recommended) +1. **Workload Identity Federation Flow** - Uses OIDC trusted tokens - Provides best security through short-lived tokens without secrets @@ -269,4 +269,5 @@ See the [release documentation](./RELEASE.md) for further information. ## License -Apache 2.0 \ No newline at end of file + +Apache 2.0 From 267a5423f1cfee1f0464ff904a65d4808f033d24 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Ferrero Date: Sun, 15 Feb 2026 22:44:17 +0100 Subject: [PATCH 3/4] Fix formatting and improve README content Updated README.md to fix formatting issues and improve clarity. --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index a3057cbec..3b998a0ac 100644 --- a/README.md +++ b/README.md @@ -269,5 +269,4 @@ See the [release documentation](./RELEASE.md) for further information. ## License - Apache 2.0 From 05484b28db3acb0a2cd22d386ff5fd606d33fa75 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Sun, 15 Feb 2026 22:46:33 +0100 Subject: [PATCH 4/4] . Signed-off-by: Jorge Turrado --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3b998a0ac..dff4aef7f 100644 --- a/README.md +++ b/README.md @@ -269,4 +269,4 @@ See the [release documentation](./RELEASE.md) for further information. ## License -Apache 2.0 +Apache 2.0 \ No newline at end of file