We are excited to announce that VMware Cloud on AWS Terraform Provider and the Python Automation Utility for VMware Cloud on AWS now support OAuth 2.0 app authentication for VMware Cloud, allowing you to register the automation tool of choice as an OAuth 2.0 app within VMware Cloud. With this new feature, automation engineers looking to automate their VMware Cloud on AWS deployments can manage secrets at the organizational level without having to be tied to individual developers’ API access tokens.
OAuth apps act as entities in server-to-server interactions and can be used in multiple organizations. While only the user who created an API token can manage it, the owner of the OAuth app is the organization in which it was created, and it can be managed by users who are organization owners or organization members with a Developer role. For API use that is not associated with an individual, such as automation solutions, it is best practice not to use an API token associated with an individual account. Doing so prevents potential access issues if that individual is unavailable when the token expires, changes roles, or leaves the organization, which can affect the services using that token. Instead, the Organization owner can create an OAuth App with an App ID and App Secret to provide access to the API. This Tech Zone article details the process of creating an OAuth app for VMware Cloud on AWS.
There are two distinct steps to creating an OAuth App: Create the App, and then assign the App to the Org. To create a new App, follow the steps below:
- Log in to the Cloud Services Platform (CSP), click on your username in the top right-hand part of the screen and then select View Organization.
- Click on the OAuth Apps tab in that top level page (and not on OAuth Apps in the left-hand menu, which is used for associating existing OAuth Apps with the Org).
- Click Create App, and select Server to server app, then continue:
Create the App
- Define App Name, App Description, Access Token TTL (the recommended token lifetime is 30 minutes. There is no way to revoke an access token once it is authorized, so avoid extending this time beyond what is necessary) and define the required Organization + individual Service Roles for the App.
- Click Create. Note that All Roles provides unlimited access to all services and actions in the Organization and should be used with caution. Only the services and roles required should be granted to the App.
- Download/copy the App ID & App Secret.
Note – It is not possible to access the App Secret after this screen. However, the App ID can be accessed, and a new App Secret can be generated for the App. Other App properties can also be edited post creation.
Assign the App to the Org
You can do this in two ways:
- Select Add when you are creating the App, after the App ID and App Secret have been copied and stored, which will add it to the current Org.
- Navigate to the OAuth Apps page through the left-hand menu on the View Organization page. The latter is the only option when adding an App created in a different Org, select Add Appand find the App in the Org where it was created (Note – the user performing this action must have appropriate access to both Orgs).
Using OAuth App for Authentication in Terraform Provider for VMware Cloud on AWS
The latest release of the VMware Cloud on AWS Terraform Provider has been updated to include two new fields in the variables.tf file: client_id and client_secret. The client_id is the ID of OAuth App associated with the organization, and client_secret is the secret for this OAuth App. The client_id in conjunction with the client_secret is used to authenticate when calling VMware Cloud Services APIs. Please note that only the combination of client_id and client_secret or the api_token needs to be provided for authentication.
Using OAuth App for Authentication in Python Automation Utility for VMware Cloud on AWS
Python Automation Utility for VMware Cloud on AWS has also been updated to support OAuth 2.0 app authentication method of authentication. To use this authentication method, the oauth_clientId and the oauth_clientSecret values need to be specified in config.ini file as shown in the example below.
The default authentication method uses the API access token provided in the refresh_Token field in the config.ini file. To use the new OAuth app method of authentication, then -oauth switch needs to be provided when running any commands as shown below.
Example command using the default method of authentication that uses the refresh_Token to authenticate:
./pyVMC.py sddc show-sddcs
Example command using the new OAuth app method of authentication:
./pyVMC.py sddc show-sddcs –oauth
For the full list of supported commands and instructions on getting started with the Python Utility for VMware Cloud on AWS, please review the readme.