Add API authentication commands for SDK/Terraform integration

franklouwers · franklouwers · commit df7c3d191018 · 2025-12-22T13:13:58.000+01:00
Introduce 'stackit auth api' subcommand group to enable Terraform Provider
and SDK to use CLI user credentials instead of requiring service accounts
for local development.

New commands:
- stackit auth api login: Authenticate for SDK/Terraform usage
- stackit auth api logout: Remove API credentials
- stackit auth api get-access-token: Get valid access token (with auto-refresh)
- stackit auth api status: Show API authentication status

API auth uses separate storage context (StorageContextAPI) from CLI auth,
allowing concurrent authentication with different accounts.
diff --git a/internal/cmd/auth/api/get-access-token/get_access_token.go b/internal/cmd/auth/api/get-access-token/get_access_token.go
@@ -0,0 +1,89 @@
+package getaccesstoken
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/stackitcloud/stackit-cli/internal/cmd/params"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/auth"
+	cliErr "github.com/stackitcloud/stackit-cli/internal/pkg/errors"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/examples"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/globalflags"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/print"
+)
+
+type inputModel struct {
+	*globalflags.GlobalFlagModel
+}
+
+func NewCmd(params *params.CmdParams) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "get-access-token",
+		Short: "Prints a short-lived access token for the STACKIT Terraform Provider and SDK",
+		Long:  "Prints a short-lived access token for the STACKIT Terraform Provider and SDK which can be used e.g. for API calls.",
+		Args:  args.NoArgs,
+		Example: examples.Build(
+			examples.NewExample(
+				`Print a short-lived access token for the STACKIT Terraform Provider and SDK`,
+				"$ stackit auth provider get-access-token"),
+		),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			model, err := parseInput(params.Printer, cmd, args)
+			if err != nil {
+				return err
+			}
+
+			userSessionExpired, err := auth.UserSessionExpiredWithContext(auth.StorageContextAPI)
+			if err != nil {
+				return err
+			}
+			if userSessionExpired {
+				return &cliErr.SessionExpiredError{}
+			}
+
+			accessToken, err := auth.GetValidAccessTokenWithContext(params.Printer, auth.StorageContextAPI)
+			if err != nil {
+				params.Printer.Debug(print.ErrorLevel, "get valid access token: %v", err)
+				return &cliErr.SessionExpiredError{}
+			}
+
+			switch model.OutputFormat {
+			case print.JSONOutputFormat:
+				details, err := json.MarshalIndent(map[string]string{
+					"access_token": accessToken,
+				}, "", "  ")
+				if err != nil {
+					return fmt.Errorf("marshal access token: %w", err)
+				}
+				params.Printer.Outputln(string(details))
+
+				return nil
+			default:
+				params.Printer.Outputln(accessToken)
+
+				return nil
+			}
+		},
+	}
+
+	// hide project id flag from help command because it could mislead users
+	cmd.SetHelpFunc(func(command *cobra.Command, strings []string) {
+		_ = command.Flags().MarkHidden(globalflags.ProjectIdFlag) // nolint:errcheck // there's no chance to handle the error here
+		command.Parent().HelpFunc()(command, strings)
+	})
+
+	return cmd
+}
+
+func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel, error) {
+	globalFlags := globalflags.Parse(p, cmd)
+
+	model := inputModel{
+		GlobalFlagModel: globalFlags,
+	}
+
+	p.DebugInputModel(model)
+	return &model, nil
+}
diff --git a/internal/cmd/auth/api/login/login.go b/internal/cmd/auth/api/login/login.go
@@ -0,0 +1,39 @@
+package login
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/stackitcloud/stackit-cli/internal/cmd/params"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/auth"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/examples"
+)
+
+func NewCmd(params *params.CmdParams) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "login",
+		Short: "Logs in for the STACKIT Terraform Provider and SDK",
+		Long: fmt.Sprintf("%s\n%s\n%s",
+			"Logs in for the STACKIT Terraform Provider and SDK using a user account.",
+			"The authentication is done via a web-based authorization flow, where the command will open a browser window in which you can login to your STACKIT account.",
+			"The credentials are stored separately from the CLI authentication and will be used by the STACKIT Terraform Provider and SDK."),
+		Args: args.NoArgs,
+		Example: examples.Build(
+			examples.NewExample(
+				`Login for the STACKIT Terraform Provider and SDK. This command will open a browser window where you can login to your STACKIT account`,
+				"$ stackit auth provider login"),
+		),
+		RunE: func(_ *cobra.Command, _ []string) error {
+			err := auth.AuthorizeUser(params.Printer, auth.StorageContextAPI, false)
+			if err != nil {
+				return fmt.Errorf("authorization failed: %w", err)
+			}
+
+			params.Printer.Outputln("Successfully logged in for STACKIT Terraform Provider and SDK.\n")
+
+			return nil
+		},
+	}
+	return cmd
+}
diff --git a/internal/cmd/auth/api/logout/logout.go b/internal/cmd/auth/api/logout/logout.go
@@ -0,0 +1,35 @@
+package logout
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/stackitcloud/stackit-cli/internal/cmd/params"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/auth"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/examples"
+)
+
+func NewCmd(params *params.CmdParams) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "logout",
+		Short: "Logs out from the STACKIT Terraform Provider and SDK",
+		Long:  "Logs out from the STACKIT Terraform Provider and SDK. This does not affect CLI authentication.",
+		Args:  args.NoArgs,
+		Example: examples.Build(
+			examples.NewExample(
+				`Log out from the STACKIT Terraform Provider and SDK`,
+				"$ stackit auth provider logout"),
+		),
+		RunE: func(_ *cobra.Command, _ []string) error {
+			err := auth.LogoutUserWithContext(auth.StorageContextAPI)
+			if err != nil {
+				return fmt.Errorf("log out failed: %w", err)
+			}
+
+			params.Printer.Info("Successfully logged out from STACKIT Terraform Provider and SDK.\n")
+			return nil
+		},
+	}
+	return cmd
+}
diff --git a/internal/cmd/auth/api/provider.go b/internal/cmd/auth/api/provider.go
@@ -0,0 +1,35 @@
+package api
+
+import (
+	"github.com/spf13/cobra"
+	getaccesstoken "github.com/stackitcloud/stackit-cli/internal/cmd/auth/api/get-access-token"
+	"github.com/stackitcloud/stackit-cli/internal/cmd/auth/api/login"
+	"github.com/stackitcloud/stackit-cli/internal/cmd/auth/api/logout"
+	"github.com/stackitcloud/stackit-cli/internal/cmd/auth/api/status"
+	"github.com/stackitcloud/stackit-cli/internal/cmd/params"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/utils"
+)
+
+func NewCmd(params *params.CmdParams) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "api",
+		Short: "Manages authentication for the STACKIT Terraform Provider and SDK",
+		Long: `Manages authentication for the STACKIT Terraform Provider and SDK.
+
+These commands allow you to authenticate with your personal STACKIT account
+and share the credentials with the STACKIT Terraform Provider and SDK.
+This provides an alternative to using service accounts for local development.`,
+		Args: args.NoArgs,
+		Run:  utils.CmdHelp,
+	}
+	addSubcommands(cmd, params)
+	return cmd
+}
+
+func addSubcommands(cmd *cobra.Command, params *params.CmdParams) {
+	cmd.AddCommand(login.NewCmd(params))
+	cmd.AddCommand(logout.NewCmd(params))
+	cmd.AddCommand(getaccesstoken.NewCmd(params))
+	cmd.AddCommand(status.NewCmd(params))
+}
diff --git a/internal/cmd/auth/api/status/status.go b/internal/cmd/auth/api/status/status.go
@@ -0,0 +1,109 @@
+package status
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/stackitcloud/stackit-cli/internal/cmd/params"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/auth"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/examples"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/globalflags"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/print"
+)
+
+type inputModel struct {
+	*globalflags.GlobalFlagModel
+}
+
+type statusOutput struct {
+	Authenticated bool   `json:"authenticated"`
+	Email         string `json:"email,omitempty"`
+	AuthFlow      string `json:"auth_flow,omitempty"`
+}
+
+func NewCmd(params *params.CmdParams) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "status",
+		Short: "Shows authentication status for the STACKIT Terraform Provider and SDK",
+		Long:  "Shows authentication status for the STACKIT Terraform Provider and SDK, including whether you are authenticated and with which account.",
+		Args:  args.NoArgs,
+		Example: examples.Build(
+			examples.NewExample(
+				`Show authentication status for the STACKIT Terraform Provider and SDK`,
+				"$ stackit auth api status"),
+		),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			model, err := parseInput(params.Printer, cmd, args)
+			if err != nil {
+				return err
+			}
+
+			// Check if access token exists (primary credential check)
+			accessToken, err := auth.GetAuthFieldWithContext(auth.StorageContextAPI, auth.ACCESS_TOKEN)
+			if err != nil || accessToken == "" {
+				// Not authenticated
+				return outputStatus(params.Printer, model, statusOutput{
+					Authenticated: false,
+				})
+			}
+
+			// Get optional fields for display
+			flow, _ := auth.GetAuthFlowWithContext(auth.StorageContextAPI)
+			email, err := auth.GetAuthFieldWithContext(auth.StorageContextAPI, auth.USER_EMAIL)
+			if err != nil {
+				email = ""
+			}
+
+			return outputStatus(params.Printer, model, statusOutput{
+				Authenticated: true,
+				Email:         email,
+				AuthFlow:      string(flow),
+			})
+		},
+	}
+
+	// hide project id flag from help command because it could mislead users
+	cmd.SetHelpFunc(func(command *cobra.Command, strings []string) {
+		_ = command.Flags().MarkHidden(globalflags.ProjectIdFlag) // nolint:errcheck // there's no chance to handle the error here
+		command.Parent().HelpFunc()(command, strings)
+	})
+
+	return cmd
+}
+
+func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel, error) {
+	globalFlags := globalflags.Parse(p, cmd)
+
+	model := inputModel{
+		GlobalFlagModel: globalFlags,
+	}
+
+	p.DebugInputModel(model)
+	return &model, nil
+}
+
+func outputStatus(p *print.Printer, model *inputModel, status statusOutput) error {
+	switch model.OutputFormat {
+	case print.JSONOutputFormat:
+		details, err := json.MarshalIndent(status, "", "  ")
+		if err != nil {
+			return fmt.Errorf("marshal status: %w", err)
+		}
+		p.Outputln(string(details))
+		return nil
+	default:
+		if status.Authenticated {
+			p.Outputln("API Authentication Status: Authenticated")
+			if status.Email != "" {
+				p.Outputf("Email: %s\n", status.Email)
+			}
+			p.Outputf("Auth Flow: %s\n", status.AuthFlow)
+		} else {
+			p.Outputln("API Authentication Status: Not authenticated")
+			p.Outputln("\nTo authenticate, run: stackit auth api login")
+		}
+		return nil
+	}
+}
diff --git a/internal/cmd/auth/auth.go b/internal/cmd/auth/auth.go
@@ -2,6 +2,7 @@ package auth
 
 import (
 	activateserviceaccount "github.com/stackitcloud/stackit-cli/internal/cmd/auth/activate-service-account"
+	"github.com/stackitcloud/stackit-cli/internal/cmd/auth/api"
 	getaccesstoken "github.com/stackitcloud/stackit-cli/internal/cmd/auth/get-access-token"
 	"github.com/stackitcloud/stackit-cli/internal/cmd/auth/login"
 	"github.com/stackitcloud/stackit-cli/internal/cmd/auth/logout"
@@ -29,4 +30,5 @@ func addSubcommands(cmd *cobra.Command, params *types.CmdParams) {
 	cmd.AddCommand(logout.NewCmd(params))
 	cmd.AddCommand(activateserviceaccount.NewCmd(params))
 	cmd.AddCommand(getaccesstoken.NewCmd(params))
+	cmd.AddCommand(api.NewCmd(params))
 }
diff --git a/internal/cmd/auth/login/login.go b/internal/cmd/auth/login/login.go
@@ -26,7 +26,7 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 				"$ stackit auth login"),
 		),
 		RunE: func(_ *cobra.Command, _ []string) error {
-			err := auth.AuthorizeUser(params.Printer, false)
+			err := auth.AuthorizeUser(params.Printer, auth.StorageContextCLI, false)
 			if err != nil {
 				return fmt.Errorf("authorization failed: %w", err)
 			}
diff --git a/internal/pkg/auth/service_account.go b/internal/pkg/auth/service_account.go
@@ -37,6 +37,9 @@ var _ http.RoundTripper = &keyFlowWithStorage{}
 // It returns the email associated with the service account
 // If disableWriting is set to true the credentials are not stored on disk (keyring, file).
 func AuthenticateServiceAccount(p *print.Printer, rt http.RoundTripper, disableWriting bool) (email, accessToken string, err error) {
+	// Set the storage printer so debug messages use the correct verbosity
+	SetStoragePrinter(p)
+
 	authFields := make(map[authFieldKey]string)
 	var authFlowType AuthFlow
 	switch flow := rt.(type) {

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ func NewCmd(params types.CmdParams) cobra.Command {`
`26`	`26`	`"$ stackit auth login"),`
`27`	`27`	`),`
`28`	`28`	`RunE: func(_ *cobra.Command, _ []string) error {`
`29`		`- err := auth.AuthorizeUser(params.Printer, false)`
	`29`	`+ err := auth.AuthorizeUser(params.Printer, auth.StorageContextCLI, false)`
`30`	`30`	`if err != nil {`
`31`	`31`	`return fmt.Errorf("authorization failed: %w", err)`
`32`	`32`	`}`