Authentication
External APIs typically require the caller to present a set of authentication credentials. In the case of cloud infrastructure providers (Google Cloud Platform and Amazon Web Services in particular) Stormware uses locally available credentials that are generated and also used by cloud CLI tools.
Note
You must install the google
extra when using the Google Cloud Platform authentication
mechanism.
Note
You must install the amazon
extra when using the Amazon Web Services authentication
mechanism.
Google Cloud Platform
The default authentication mechanism (implemented in GCPAuth
) first
looks for a set of credentials in the
$XDG_CONFIG_HOME/gcloud/credentials/{organization_id}.json
file, where organization_id
is
derived from the provided organization
value by replacing dots with dashes. If the organization
credentials file does not exist, we use the application default credentials.
Note
We recommend using the gcpl script for generating organization
credentials. Note that you need to add the -s stormware
option if you are using Google
connectors that are not related to the Google Cloud Platform (for example, the
Google Sheets connector).
A default organization and project can be set under the tool.stormware
section of a project’s
pyproject.toml
file as follows:
[tool.stormware]
organization = 'example.com'
project = 'my-project'
Amazon Web Services
The authentication logic is implemented in AWSAuth
– we look for
the credentials of the organization_id
named profile, which is derived the same way as it is
for the Google Cloud Platform authentication. If the credentials cannot be found for the named
profile then the boto3
credential location mechanism is used.
Note
We recommend using the awsl script for generating named profile credentials.
Secret Store
The credentials for most connectors are retrieved from a secret store, which has the following abstract interface:
- class stormware.secrets.SecretStore
Stormware comes with two built-in secret store implementations for Google Cloud Platform and Amazon Web Services, and further secret stores can be easily added by simply inheriting and implementing the
SecretStore
interface.
Note
When no secret store is explicitly provided the connectors default to using the Google Cloud
Secret Manager store when the google
extra is installed and the AWS Secrets Manager store
when the amazon
extra is installed. If both extras are installed, the Google Cloud Secret
Manager store takes precedence.
For further information regarding connector authentication please consult the documentation of the specific connector that you intend to use.
Authentication Managers
- class stormware.google.auth.GCPAuth(organization: Optional[str] = None, project: Optional[str] = None)
Google Cloud Platform authentication manager.
- project(project: Optional[str] = None) str
Return the project name.
Defaults to the
project
value set inpyproject.toml
under thetool.stormware
section.
- project_id(organization: Optional[str] = None, project: Optional[str] = None) str
Return the project ID.
The project ID is constructed as
{project}-{organization_id}
.
- organization_credentials_path(organization: Optional[str] = None) Optional[Path]
Return the path to the organization credentials or
None
if it does not exist.Constructed as
$XDG_CONFIG_HOME/gcloud/credentials/{organization_id}.json
.
- credentials(organization: Optional[str] = None, project: Optional[str] = None) Credentials
Return the organization credentials when they exist or the application default credentials.
- class stormware.amazon.auth.AWSAuth(*args: Any, credentials: Path = PosixPath('~/.aws/credentials'), **kwargs: Any)
Amazon Web Services authentication manager.
- profile(organization: Optional[str] = None) Optional[str]
Return the profile name (same as the organization ID) or
None
if it does not exist.
- organization(organization: Optional[str] = None) str
Return the organization name.
Defaults to the
organization
value set inpyproject.toml
under thetool.stormware
section.