README
¶
Artifactory Provider
This provider is used to generate time limited access tokens for access to Artifactory .
See the package documentation for more information.
Environment / Options
The following table shows the environment variables available to this provider.
| Variable | Type | Optional | Default | Description |
|---|---|---|---|---|
| SIDECRED_ARTIFACTORY_PROVIDER_ENABLED | Bool | Yes | False | Flag to enable this provider |
| SIDECRED_ARTIFACTORY_PROVIDER_HOSTNAME | String | No | N/A | Artifactory endpoint (e.g., https://my-org.jfrog.io/my-org/) |
| SIDECRED_ARTIFACTORY_PROVIDER_USERNAME | String | No | N/A | REST API authentication username |
| SIDECRED_ARTIFACTORY_PROVIDER_PASSWORD | String | Yes | N/A | REST API authentication password |
| SIDECRED_ARTIFACTORY_PROVIDER_ACCESS_TOKEN | String | Yes | N/A | REST API access token |
| SIDECRED_ARTIFACTORY_PROVIDER_API_KEY | String | Yes | N/A | REST API key |
| SIDECRED_ARTIFACTORY_PROVIDER_SESSION_DURATION | Duration | Yes | 1h |
Default duration for generated tokens (<= 1h`) |
The fields marked as not optional assume that the provider is enabled.
Request
See the official documentation for request configuration.
Documentation
¶
Overview ¶
Package artifactory implements a sidecred.Provider for Artifactory access token credentials. See https://jfrog.com/artifactory/ for detailed information.
The provider excercises the REST API to generate time limited access tokens (https://www.jfrog.com/confluence/display/JFROG/Access+Tokens). To access the API, the provider itself must be authenticated. The REST API generally supports the following authentication models (https://www.jfrog.com/confluence/display/JFROG/Artifactory+REST+API). Generally, this means we can authenticate with a dedicated username and password, where the password is one of the following:
API Key Password Access token
The third is most desirable, as it means that we can allocate a revocable token under a specific username. Furthermore, that username can be a user allocated in Artifactory itself, as part of the call to issue a token. This avoids having to put an admin user's personal credentials into sidecred, or the API key, which have a higher blast radius if leaked.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func New ¶
func New(client ArtifactoryAPI, options ...option) sidecred.Provider
New returns a new sidecred.Provider for Artifactory Credentials.
func WithSessionDuration ¶
WithSessionDuration overrides the default session duration.
Types ¶
type ArtifactoryAPI ¶
type ArtifactoryAPI interface {
CreateToken(services.CreateTokenParams) (services.CreateTokenResponseData, error)
}
ArtifactoryAPI wraps the Artifactory access token API.
func NewClient ¶
func NewClient(hostname, username, password, accessToken, apiKey string) (ArtifactoryAPI, error)
NewClient returns a new client for ArtifactoryAPI.
type RequestConfig ¶
type RequestConfig struct {
// Username to allocate the credentials under.
User string `json:"user"` //
// Group to associate the credentials with.
// The user will inherit the group permissions.
Group string `json:"group"`
// Request-specific override for credential duration.
Duration *sidecred.Duration `json:"duration"`
}
RequestConfig ... The generated secrets will be `<name>-artifactory-user` and `<name>-artifactory-token`.
The following shows an example resource configuration as YAML (note that the lambda version expects JSON):
- type: artifactory:access-token name: my-writer config: user: concourse-artifactory-user group: artifactory-writers-group duration: 30m
For this specific example, the provider will create the secrets `my-writer-artifactory-user` and `my-writer-artifactory-token`. The value within the `my-writer-artifactory-user` secret will be `concourse-artifactory-user`. The secret `my-writer-artifactory-token` will contain the raw token.
func (*RequestConfig) Validate ¶ added in v0.11.0
func (c *RequestConfig) Validate() error
Validate implements sidecred.Validatable.
Source Files
Directories