From 1c2890c66951f4498ac43542a7a8b83d42df4dd2 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Tue, 10 Feb 2026 21:21:04 +0100 Subject: [PATCH 1/5] chore: Update docs to reflect the new WIF flow Signed-off-by: Jorge Turrado --- README.md | 45 ++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 40 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 49e5f1c77..f332a1eac 100644 --- a/README.md +++ b/README.md @@ -103,15 +103,20 @@ To authenticate with the SDK, you need a [service account](https://docs.stackit. ### Authentication Methods -The SDK supports two authentication methods: +The SDK supports three authentication methods: -1. **Key Flow** (Recommended) +1. **Workload Identity Federation Flow** (Recommended) + + - Uses OIDC trusted tokens + - Provides best security through short-lived tokens without secrets + +2. **Key Flow** - Uses RSA key-pair based authentication - Provides better security through short-lived tokens - Supports both STACKIT-generated and custom key pairs -2. **Token Flow** +3. **Token Flow** (Deprecated) - Uses long-lived service account tokens - Simpler but less secure @@ -120,10 +125,40 @@ The SDK supports two authentication methods: The SDK searches for credentials in the following order: 1. Explicit configuration in code -2. Environment variables (KEY_PATH for KEY) +2. Environment variables 3. Credentials file (`$HOME/.stackit/credentials.json`) -For each authentication method, the key flow is attempted first, followed by the token flow. +For each authentication method, the try order is: +1. Workload Identity Federation Flow +2. Key Flow +3. Token Flow + +### Using the Workload Identity Fedearion Flow + +1. Create a service account trusted relation in the STACKIT Portal: + + - Navigate to `Service Accounts` → Select account → `Federated Identity Providers` + - [Configure a Federated Identity Provider](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/how-tos/manage-service-account-federations/#create-a-federated-identity-provider) and the required assertions to trust in. + +2. Configure authentication using any of these methods: + + **A. Code Configuration** + +```go +// Using wokload identity federation flow +config.WithWorkloadIdentityFederationAuth() +// With the custom path for the external OIDC token +config.WithWorkloadIdentityFederationPath("/path/to/your/federated/token") +// For the service account +config.WithServiceAccountEmail("my-sa@sa-stackit.cloud") +``` +**B. Environment Variables** +```bash +# With the custom path for the external OIDC token +STACKIT_FEDERATED_TOKEN_FILE=/path/to/your/federated/token +# For the service account +STACKIT_SERVICE_ACCOUNT_EMAIL=my-sa@sa-stackit.cloud +``` ### Using the Key Flow From 04413ea36b28b47614ad4f2fed9cb6c8ce3bd2c9 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Ferrero Date: Sun, 15 Feb 2026 22:43:23 +0100 Subject: [PATCH 2/5] feedback --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f332a1eac..a3057cbec 100644 --- a/README.md +++ b/README.md @@ -105,7 +105,7 @@ To authenticate with the SDK, you need a [service account](https://docs.stackit. The SDK supports three authentication methods: -1. **Workload Identity Federation Flow** (Recommended) +1. **Workload Identity Federation Flow** - Uses OIDC trusted tokens - Provides best security through short-lived tokens without secrets @@ -269,4 +269,5 @@ See the [release documentation](./RELEASE.md) for further information. ## License -Apache 2.0 \ No newline at end of file + +Apache 2.0 From bfca2cb66e3f9eca5a54f3d58122fb4616ccff7f Mon Sep 17 00:00:00 2001 From: Jorge Turrado Ferrero Date: Sun, 15 Feb 2026 22:44:17 +0100 Subject: [PATCH 3/5] Fix formatting and improve README content Updated README.md to fix formatting issues and improve clarity. --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index a3057cbec..3b998a0ac 100644 --- a/README.md +++ b/README.md @@ -269,5 +269,4 @@ See the [release documentation](./RELEASE.md) for further information. ## License - Apache 2.0 From 69f8cbd3e719c7bd4a675dbc77f6d640af101464 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Ferrero Date: Sun, 15 Feb 2026 22:44:47 +0100 Subject: [PATCH 4/5] Fix formatting issues in README.md From a6ae7efad789da66463827877bd62bdb28cdb529 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Sun, 15 Feb 2026 22:46:33 +0100 Subject: [PATCH 5/5] . Signed-off-by: Jorge Turrado --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3b998a0ac..dff4aef7f 100644 --- a/README.md +++ b/README.md @@ -269,4 +269,4 @@ See the [release documentation](./RELEASE.md) for further information. ## License -Apache 2.0 +Apache 2.0 \ No newline at end of file