Skip to content

Fix(BREV-2357): CloudCredId in nebius cloud #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dishankj-max wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix(BREV-2357): CloudCredId in nebius cloud #73

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b6c36b3
Fix(BREV-2357): CloudCredId in nebius cloud
dishankj-max Jan 8, 2026
64bac8f
Fix checkstyle
dishankj-max Jan 8, 2026
1a18755
Fix gofumpt formatting for nebius instance.go
dishankj-max Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 16 additions & 3 deletions v1/providers/nebius/instance.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,7 @@ func (c *NebiusClient) CreateInstance(ctx context.Context, attrs v1.CreateInstan
createReq.Metadata.Labels["created-by"] = "brev-cloud-sdk"
createReq.Metadata.Labels["brev-user"] = attrs.RefID
createReq.Metadata.Labels["environment-id"] = attrs.RefID
createReq.Metadata.Labels["cloud-cred-ref-id"] = c.refID // Store creator's cloud credential ID for authorization
// Track associated resources for cleanup
createReq.Metadata.Labels["network-id"] = networkID
createReq.Metadata.Labels["subnet-id"] = subnetID
Expand Down Expand Up @@ -276,11 +277,23 @@ func (c *NebiusClient) convertNebiusInstanceToV1(ctx context.Context, instance *
// Extract labels from metadata
var tags map[string]string
var refID string
var cloudCredRefID string
var instanceTypeID string
if instance.Metadata != nil && len(instance.Metadata.Labels) > 0 {
tags = instance.Metadata.Labels
refID = instance.Metadata.Labels["brev-user"] // Extract from labels if available
instanceTypeID = instance.Metadata.Labels["instance-type-id"] // Full instance type ID (dot format)
refID = instance.Metadata.Labels["brev-user"] // Extract from labels if available
cloudCredRefID = instance.Metadata.Labels["cloud-cred-ref-id"] // Extract creator's cloud credential ID
instanceTypeID = instance.Metadata.Labels["instance-type-id"] // Full instance type ID (dot format)
}

// Backward compatibility: if cloudCredRefID is not in labels (instances created before this fix),
// fall back to using the current client's refID. This maintains existing behavior for old instances
// but is less secure - those instances won't have proper authorization checks.
if cloudCredRefID == "" {
cloudCredRefID = c.refID
c.logger.Warn(ctx, "instance missing cloud-cred-ref-id label, using current client refID.",
v1.LogField("instanceID", instance.Metadata.Id),
v1.LogField("instanceName", instance.Metadata.Name))
}

// If instance type ID is not in labels (older instances), reconstruct it from platform + preset
Expand Down Expand Up @@ -336,7 +349,7 @@ func (c *NebiusClient) convertNebiusInstanceToV1(ctx context.Context, instance *

inst := &v1.Instance{
RefID: refID,
CloudCredRefID: c.refID,
CloudCredRefID: cloudCredRefID, // Use creator's cloud credential ID from labels, not current client's ID
Name: instance.Metadata.Name,
CloudID: instanceID,
Location: location,
Expand Down
Loading