Migrate flowctl to gql operations and token-exchange rest endpoints#2983
Draft
GregorShear wants to merge 3 commits into
Draft
Migrate flowctl to gql operations and token-exchange rest endpoints#2983GregorShear wants to merge 3 commits into
GregorShear wants to merge 3 commits into
Conversation
GregorShear
force-pushed
the
greg/service-accounts-phase1
branch
from
312d85f to
dc5e4cd
Compare
GregorShear
force-pushed
the
greg/sa/flowctl
branch
from
ab09372 to
ebf6eba
Compare
GregorShear
force-pushed
the
greg/service-accounts-phase1
branch
from
dc5e4cd to
dbbeaeb
Compare
GregorShear
force-pushed
the
greg/sa/flowctl
branch
from
ebf6eba to
e243a43
Compare
Adds support for running flowctl as a service account using a `flow_sa_` API key supplied through FLOW_AUTH_TOKEN. The key is exchanged for a short-lived access token via POST /api/v1/auth/token (grant_type: api_key) on each invocation. The API key is a long-lived secret and is held in memory only: it is sourced exclusively from FLOW_AUTH_TOKEN, never read from or written to the config file, and a run authenticated by one skips the config write-back entirely so nothing derived from it lands on disk and a human's existing config is left untouched. Credential refresh is unified behind a single helper shared by Cli::run and the auth post-command refresh, with the API key taking precedence over a refresh token. Under API-key auth the refresh-token branches -- including auto-creating a refresh token -- are skipped, so a service account never attempts to mint a refresh token (which the control-plane guard rejects regardless). - flow-client: add refresh_api_key_authorization() - flowctl config: in-memory user_api_key, flow_sa_ dispatch on FLOW_AUTH_TOKEN - flowctl: skip config write under API-key auth; login/token clear an ambient API key so explicit human auth wins
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrate flowctl auth off PostgREST onto GraphQL + token-exchange endpoint
Updates flowctl to use the new application-layer auth surfaces introduced in phase 1, retiring the dependence on the PostgREST RPCs
create_refresh_tokenandgenerate_access_token.What changed
Refresh-token creation now goes through the
createRefreshTokenGraphQL mutation instead of thecreate_refresh_tokenPostgREST RPC.Access-token exchange now
POSTs to/api/v1/auth/tokenwithgrant_type: refresh_token(unauthenticated) instead of thegenerate_access_tokenRPC.Both client implementations are updated in lockstep:
flow-client(legacy, used by flowctl) —refresh_authorizationsinclient.rsflow-client-next—UserTokenSource/create_refresh_token/exchange_refresh_tokeninuser_auth.rsUserTokenSourceswaps itspg_client: postgrest::Postgrestfield forrest_client: crate::rest::Client.New helpers
A small GraphQL request helper is added to each crate so callers can issue a query/mutation and deserialize the
datafield directly:flow_client::graphql(...)—anyhow-based.flow_client_next::rest::Client::graphql(...)— typed errors via a newGraphqlErrorenum (adds thethiserrordependency).Notes for review
valid_formoves from the PostgREST-style"90d"to ISO-8601"P90D", matching the GraphQL mutation's contract.multi_use: trueargument is dropped — it's no longer part of thecreateRefreshTokensignature.Testing