Packer API Authentication

kuldeeprishi · March 20, 2022, 4:15pm

Hello HashiCorp Community,
I was recently trying to automate my build and deploy process.
I was following this API Doc
I have created the required service principal, but I couldn’t find any documentation about how to authenticate Packer API’s via service principal through REST.

Thanks

shohei · March 24, 2022, 8:40am

Hi @kuldeeprishi, Thanks for your feedback! I already passed this feedback internally and we will see options to add those information.

In the meantime, you can manually obtain your OAuth 2.0 access token using your HCP credentials (client ID/secret) using curl or any tools that work for you (e.g., Postman).

For instance, try this curl command by replacing $HCP_CLIENT_ID and $HCP_CLIENT_SECRET with yours (i.e., service principal key), then you will get one as below:

$ curl -s -u '$HCP_CLIENT_ID:$HCP_CLIENT_SECRET' \
  --data 'grant_type=client_credentials&audience=https://api.hashicorp.cloud' \
  'https://auth.hashicorp.com/oauth/token' | jq
{
  "access_token": "your_access_token_here",
  "expires_in": 3600,
  "token_type": "Bearer"
}

Once you got your access_token, now you can call APIs using that access token by sending an authorization request header -H 'Authorization: Bearer <your_access_token>'

You can also use our official Go SDK for HCP API: GitHub - hashicorp/hcp-sdk-go: Go SDK for HCP API. and from there, you could see the auth implementation in action:

github.com

hashicorp/hcp-sdk-go/blob/v0.17.0/httpclient/httpclient.go#L64

      
        
            	if err := cfg.Validate(); err != nil {
            		return nil, fmt.Errorf("invalid config: %w", err)
            	}
            
            
	// Initialize an http client with a transport to be shared by the service-specific clients.
            	client := cleanhttp.DefaultPooledClient()
            
            
	// The oauth2 client initializer requires the http client to be passed in via context.
            	ctx := context.WithValue(context.Background(), oauth2.HTTPClient, client)
            
            
	client, err = auth.WithClientCredentials(ctx, cfg.ClientID, cfg.ClientSecret, cfg.AuthURL)
            	if err != nil {
            		return nil, fmt.Errorf("failed to obtain credentials: %w", err)
            	}
            
            
	if cfg.SourceChannel != "" {
            		// Using a custom transport in order to set the source channel header when it is present.
            		sourceChannel := fmt.Sprintf("%s hcp-go-sdk/%s", cfg.SourceChannel, version.Version)
            		client.Transport = &roundTripperWithSourceChannel{OriginalRoundTripper: client.Transport, SourceChannel: sourceChannel}
            	}

github.com

hashicorp/hcp-sdk-go/blob/v0.17.0/auth/auth.go

package auth

import (
	"context"
	"net/http"
	"net/url"

	"golang.org/x/oauth2/clientcredentials"
)

var (
	tokenPath string = "/oauth/token"
)

// WithClientCredentials returns an http client with an access token obtained using the configured client credentials.
func WithClientCredentials(ctx context.Context, clientID, clientSecret, authURL string) (*http.Client, error) {
	// The audience is the API identifier configured in the auth provider
	// and must be provided when requesting an access token for the API.
	aud := "https://api.hashicorp.cloud"

This file has been truncated. show original

kuldeeprishi · March 24, 2022, 6:23pm

Thanks a lot @shohei
This was indeed very helpful

Topic		Replies	Views
Unable to build using HCP HashiCorp Cloud Platform (HCP)	3	776	July 20, 2023
Does packer vmware support iso_url http authentication Packer	1	26	December 11, 2024
Vault approle in Packer? Packer vault	1	229	November 24, 2023
Packer and GCP impersonation Packer	3	1817	February 8, 2022
Packer build issues on credentials, validate passes Packer	0	2169	May 26, 2021

Packer API Authentication

Related topics