How to create "first api key" to use for any further authentication

[codedevote]

Hi,

not sure I am missing something. I am currently trying to understand how I can setup a seq instance using infrastructure as code (pulumi in my case) and configure an initial api key with appropriate permissions that can then be used by seqcli. Consider the following flow of things:

• Setup base infrastructure incl. k8s cluster
• Setup seq using helm chart
• Setup other service that should use an apikey during ingestion. The IaC project for this service would use seqcli to setup such an apikey. The problem is, there is no "admin" apikey available to use in that case. I would need to manually create such an apikey, which I don't like for automated deployments.

After thinking of it for a few minutes, the best idea I have right now is to deploy such an "admin" credential together with the helm chart. Such a credential could then be easily used by down-stream projects using whatever credential management you want to use (vault, pulumi secrets, ...).

[nblumhardt]

Hi Florian,

Thanks for getting in touch. Since SEQ_FIRSTRUN_ADMINUSERNAME and SEQ_FIRSTRUN_ADMINPASSWORDHASH can be used to set up credentials for the first admin user, perhaps we could modify seqcli apikey create to piggy-back off of this:

seqcli apikey create -t First --token="yourtokenhere" -u admin -p password --delegate="Read,Write,Setup"

where:

• -u and -p would be new arguments, a username and password to connect with, overriding any API key associated with the connection, and
• --delegate would specify which of the user's (-u) permissions would be delegated to the new API key.

I think the CLI and API are in good shape for this to be added in a point release without too many gotchas. What do you think?

[codedevote]

Hi Nick,

sounds good. With this I would be able to create the initial token for further usage in other infra code.
I took a quick look at the helm chart (https://github.com/datalust/helm.datalust.co/tree/main/charts/seq). Both of those env vars SEQ_FIRSTRUN_ADMINUSERNAME and SEQ_FIRSTRUN_ADMINPASSWORDHASH should be added to the deployment template and also have corresponding variables in values.yaml. I can send a PR containing those changes to the helm chart if you like.

[nblumhardt]

That sounds great, thanks Florian 👍 - it would be possible to set those values as environment variables as things are, but having them in values.yaml would be a big improvement for discoverability.

[codedevote]

Sent a PR to the other repo.

[codedevote]

Nick, if you give me some guidance on how to properly implement your ideas related to the new command line parameters for seqcli, I would be happy to contribute.

[nblumhardt]

Thanks Florian. I'm taking a look now, not 100% sure yet what is involved 👍

[nblumhardt]

I started to sketch this out - it was a little tricky, I've pushed my progress in #190 - still needs some automated (and manual :-)) testing. Any eyes on that would be appreciated.