Skip to content

Commit c714569

Browse files
JorTurFermarceljk
authored andcommitted
chore: Update docs to reflect the new WIF flow
Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>
1 parent 4be5956 commit c714569

File tree

1 file changed

+40
-5
lines changed

1 file changed

+40
-5
lines changed

README.md

Lines changed: 40 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -103,15 +103,20 @@ To authenticate with the SDK, you need a [service account](https://docs.stackit.
103103

104104
### Authentication Methods
105105

106-
The SDK supports two authentication methods:
106+
The SDK supports three authentication methods:
107107

108-
1. **Key Flow** (Recommended)
108+
1. **Workload Identity Federation Flow** (Recommended)
109+
110+
- Uses OIDC trusted tokens
111+
- Provides best security through short-lived tokens without secrets
112+
113+
2. **Key Flow**
109114

110115
- Uses RSA key-pair based authentication
111116
- Provides better security through short-lived tokens
112117
- Supports both STACKIT-generated and custom key pairs
113118

114-
2. **Token Flow**
119+
3. **Token Flow** (Deprecated)
115120
- Uses long-lived service account tokens
116121
- Simpler but less secure
117122

@@ -120,10 +125,40 @@ The SDK supports two authentication methods:
120125
The SDK searches for credentials in the following order:
121126

122127
1. Explicit configuration in code
123-
2. Environment variables (KEY_PATH for KEY)
128+
2. Environment variables
124129
3. Credentials file (`$HOME/.stackit/credentials.json`)
125130

126-
For each authentication method, the key flow is attempted first, followed by the token flow.
131+
For each authentication method, the try order is:
132+
1. Workload Identity Federation Flow
133+
2. Key Flow
134+
3. Token Flow
135+
136+
### Using the Workload Identity Fedearion Flow
137+
138+
1. Create a service account trusted relation in the STACKIT Portal:
139+
140+
- Navigate to `Service Accounts` → Select account → `Federated Identity Providers`
141+
- [Configure a Federated Identity Provider](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/how-tos/manage-service-account-federations/#create-a-federated-identity-provider) and the required assertions to trust in.
142+
143+
2. Configure authentication using any of these methods:
144+
145+
**A. Code Configuration**
146+
147+
```go
148+
// Using wokload identity federation flow
149+
config.WithWorkloadIdentityFederationAuth()
150+
// With the custom path for the external OIDC token
151+
config.WithWorkloadIdentityFederationPath("/path/to/your/federated/token")
152+
// For the service account
153+
config.WithServiceAccountEmail("my-sa@sa-stackit.cloud")
154+
```
155+
**B. Environment Variables**
156+
```bash
157+
# With the custom path for the external OIDC token
158+
STACKIT_FEDERATED_TOKEN_FILE=/path/to/your/federated/token
159+
# For the service account
160+
STACKIT_SERVICE_ACCOUNT_EMAIL=my-sa@sa-stackit.cloud
161+
```
127162

128163
### Using the Key Flow
129164

0 commit comments

Comments
 (0)