Skip to content

chore: Update docs to reflect the new WIF flow #4813

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JorTurFer wants to merge 5 commits into
base: main
Choose a base branch
from
+40 −5
Open

chore: Update docs to reflect the new WIF flow #4813

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1c2890c
chore: Update docs to reflect the new WIF flow
JorTurFer Feb 10, 2026
04413ea
feedback
JorTurFer Feb 15, 2026
bfca2cb
Fix formatting and improve README content
JorTurFer Feb 15, 2026
69f8cbd
Fix formatting issues in README.md
JorTurFer Feb 15, 2026
a6ae7ef
.
JorTurFer Feb 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 40 additions & 5 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,15 +103,20 @@ To authenticate with the SDK, you need a [service account](https://docs.stackit.

### Authentication Methods

The SDK supports two authentication methods:
The SDK supports three authentication methods:

1. **Key Flow** (Recommended)
1. **Workload Identity Federation Flow**

- Uses OIDC trusted tokens
- Provides best security through short-lived tokens without secrets

2. **Key Flow**

- Uses RSA key-pair based authentication
- Provides better security through short-lived tokens
- Supports both STACKIT-generated and custom key pairs

2. **Token Flow**
3. **Token Flow** (Deprecated)
- Uses long-lived service account tokens
- Simpler but less secure

Expand All @@ -120,10 +125,40 @@ The SDK supports two authentication methods:
The SDK searches for credentials in the following order:

1. Explicit configuration in code
2. Environment variables (KEY_PATH for KEY)
2. Environment variables
3. Credentials file (`$HOME/.stackit/credentials.json`)

For each authentication method, the key flow is attempted first, followed by the token flow.
For each authentication method, the try order is:
1. Workload Identity Federation Flow
2. Key Flow
3. Token Flow

### Using the Workload Identity Fedearion Flow

1. Create a service account trusted relation in the STACKIT Portal:

- Navigate to `Service Accounts` → Select account → `Federated Identity Providers`
- [Configure a Federated Identity Provider](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/how-tos/manage-service-account-federations/#create-a-federated-identity-provider) and the required assertions to trust in.

2. Configure authentication using any of these methods:

**A. Code Configuration**

```go
// Using wokload identity federation flow
config.WithWorkloadIdentityFederationAuth()
// With the custom path for the external OIDC token
config.WithWorkloadIdentityFederationPath("/path/to/your/federated/token")
// For the service account
config.WithServiceAccountEmail("my-sa@sa-stackit.cloud")
```
**B. Environment Variables**
```bash
# With the custom path for the external OIDC token
STACKIT_FEDERATED_TOKEN_FILE=/path/to/your/federated/token
# For the service account
STACKIT_SERVICE_ACCOUNT_EMAIL=my-sa@sa-stackit.cloud
```

### Using the Key Flow

Expand Down
Loading