| title | type |
|---|---|
Authorization |
Details |
Kyma Environment Broker provides OAuth2 authorization. For this purpose, Kyma Environment Broker uses the ApiRule custom resource which generates a VirtualService and uses Oathkeeper Access Rules to allow or deny access. To authorize with the Kyma Environment Broker, use an OAuth2 client registered through the Hydra Maester controller.
To access the Kyma Environment Broker endpoints, use the /oauth prefix before OSB API paths. For example:
/oauth/{region}/v2/catalogYou must also specify the Authorization: Bearer request header:
Authorization: Bearer {ACCESS_TOKEN}Follow these steps to obtain a new access token:
- Export these values as environment variables:
-
The name of your client and the Secret which stores the client credentials:
export CLIENT_NAME={YOUR_CLIENT_NAME} -
The Namespace in which you want to create the client and the Secret that stores its credentials:
export CLIENT_NAMESPACE={YOUR_CLIENT_NAMESPACE} -
The domain of your cluster:
export DOMAIN={CLUSTER_DOMAIN}
- Create an OAuth2 client:
cat <<EOF | kubectl apply -f -
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: $CLIENT_NAME
namespace: $CLIENT_NAMESPACE
spec:
grantTypes:
- "client_credentials"
scope: "$SCOPE"
secretName: $CLIENT_NAME
EOFNOTE: The valid scopes are
broker:writeandcld:read.
- Export the credentials of the created client as environment variables. Run:
export CLIENT_ID="$(kubectl get secret -n $CLIENT_NAMESPACE $CLIENT_NAME -o jsonpath='{.data.client_id}' | base64 --decode)"
export CLIENT_SECRET="$(kubectl get secret -n $CLIENT_NAMESPACE $CLIENT_NAME -o jsonpath='{.data.client_secret}' | base64 --decode)"- Encode your client credentials and export them as an environment variable:
export ENCODED_CREDENTIALS=$(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64)- Get the access token:
curl -ik -X POST "https://oauth2.$DOMAIN/oauth2/token" -H "Authorization: Basic $ENCODED_CREDENTIALS" -F "grant_type=client_credentials" -F "scope=broker:write"