Platform Credentials

Each platform reads the credentials it uses from different files. The aliyun, aws, azure, do, esx and packet platforms support selecting from multiple configured credentials, call “profiles”. The examples below are for the “default” profile, but other profiles can be specified in the credentials files and selected via the --<platform-name>-profile flag:

kola spawn -p aws --aws-profile other_profile
  1. aliyun
  2. aws
  3. azure
  4. do
  5. esx
  6. gcp
  7. openstack
  8. packet
  9. qemu
  10. kubevirt

aliyun

aliyun reads the ~/.aliyun/config.json file used by Aliyun’s aliyun command-line tool. It can be created using the aliyun command:

$ aliyun configure

To configure a different profile, use the --profile flag

$ aliyun configure --profile other_profile

The ~/.aliyun/config.json file can also be populated manually:

{
  "current": "",
  "profiles": [
    {
      "name": "",
      "mode": "AK",
      "access_key_id": "ACCESS_KEY_ID",
      "access_key_secret": "ACCESS_KEY_SECRET",
      "sts_token": "",
      "ram_role_name": "",
      "ram_role_arn": "",
      "ram_session_name": "",
      "private_key": "",
      "key_pair_name": "",
      "expired_seconds": 0,
      "verified": "",
      "region_id": "eu-central-1",
      "output_format": "json",
      "language": "zh",
      "site": "",
      "retry_timeout": 0,
      "retry_count": 0
    }
  ]
}

aws

aws reads the ~/.aws/credentials file used by Amazon’s aws command-line tool. It can be created using the aws command:

$ aws configure

To configure a different profile, use the --profile flag

$ aws configure --profile other_profile

The ~/.aws/credentials file can also be populated manually:

[default]
aws_access_key_id = ACCESS_KEY_ID_HERE
aws_secret_access_key = SECRET_ACCESS_KEY_HERE

To install the aws command in the SDK, run:

sudo emerge --ask awscli

azure

The azure sdk for go does not support any file based authentication schemes. We’ll use a JSON file generated by hand to pass authentication to our mantle code that will then use it to authenticate with azure services.

First we must have a service principal and set of credentials to authenticate with. This can be created via the Azure CLI by the az ad sp create-for-rbac command. You must know your subscription ID in order to run this command. This can usually be picked up from ~/.azure/azureProfile.json if you are logged in via the Azure CLI:

subscription='aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee'
az ad sp create-for-rbac --name name --role Contributor --scopes "/subscriptions/${subscription}"

The output of this command is JSON formatted. Store the output of it in a file called azureCreds.json:

{
  "appId": "11111111-2222-3333-4444-555555555555",
  "displayName": "name",
  "password": "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy",
  "tenant": "66666666-7777-8888-9999-111111111111"
}

All we need now is to add the subscription ID information to the azureCreds.json so that the final file looks like:

{
  "appId": "11111111-2222-3333-4444-555555555555",
  "displayName": "name",
  "password": "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy",
  "tenant": "66666666-7777-8888-9999-111111111111",
  "subscription: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
}

This file can be placed at $HOME/.azure/azureCreds.json or the path can be placed in the $AZURE_CREDENTIALS environment variable or passed via the --azure-credentials option on the command line.

do

do uses ~/.config/digitalocean.json. This can be configured manually:

{
    "default": {
        "token": "token goes here"
    }
}

esx

esx uses ~/.config/esx.json. This can be configured manually:

{
    "default": {
        "server": "server.address.goes.here",
        "user": "user.goes.here",
        "password": "password.goes.here"
    }
}

gcp

If you want to create a service account’s JSON key for authentication, refer to create service account keys.

openstack

openstack uses ~/.config/openstack.json. This can be configured manually:

{
    "default": {
        "auth_url": "auth url here",
        "tenant_id": "tenant id here",
        "tenant_name": "tenant name here",
        "username": "username here",
        "password": "password here",
        "user_domain": "domain id here",
        "floating_ip_pool": "floating ip pool here",
        "region_name": "region here"
    }
}

user_domain is required on some newer versions of OpenStack using Keystone V3 but is optional on older versions. floating_ip_pool and region_name can be optionally specified here to be used as a default if not specified on the command line.

packet

packet uses ~/.config/packet.json. This can be configured manually:

{
	"default": {
		"api_key": "your api key here",
		"project": "project id here"
	}
}

qemu

qemu is run locally and needs no credentials. It has a few restrictions:

  • No Local cluster
  • Usermode networking (no namespaced networks):
    • Single node only, no machine to machine networking
    • Machines have internet access by default

kubevirt

kubevirt publishes a containerdisk which can be consumed by KubeVirt. In order to publish the containerdisk, the credentials to the container registry need to be provided in ~/.docker/config.json.

An example configuration may look like this:

{
	"auths": {
		"quay.io": {
			"auth": "dXNlcjpwYXNzCg=="
		}
	}
}

where auth is a base64 encoded HTTP Basic Auth token:

$ echo dXNlcjpwYXNzCg== | base64 -d
user:pass