Skip to content

Commit 3195ee6

Browse files
committed
doc updates
1 parent 7dde88f commit 3195ee6

1 file changed

Lines changed: 49 additions & 4 deletions

File tree

docs/index.md

Lines changed: 49 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -67,13 +67,58 @@ order of operations for determining the tenant.
6767
## Credential Selection Logic
6868

6969
There are numerous ways to provide the CLI with the Britive credentials that should be used to authenticate to the
70-
Britive tenant. The below list is the order of operations for determining the tenant.
70+
Britive tenant. The below list is the order of operations for determining the token to use.
7171

72-
1. Value retrieved from CLI option/flag `--token/-T`
73-
2. Value retrieved from environment variable `BRITIVE_API_TOKEN`
74-
3. If none of the above are available an interactive login will be performed and temporary credentials will be stored locally for future use with the CLI
72+
1. Workload federation provider token via option/flag `--federation-provider/-P` (see below for more details on this option)
73+
2. Value retrieved from CLI option/flag `--token/-T`
74+
3. Value retrieved from environment variable `BRITIVE_API_TOKEN`
75+
4. If none of the above are available an interactive login will be performed and temporary credentials will be stored locally for future use with the CLI
7576

7677

78+
## Workload Federation Providers
79+
80+
*NOTE*: Before any of the below will work there is required setup and configuration within your Britive tenant
81+
so trust can be established between the identity provider and Britive.
82+
83+
`pybritive` and the Python SDK offer the capability to source an ephemeral token from a federation provider.
84+
This use case is targeted for machines/automated workloads and removes the need to store a long-lived API token
85+
to interact with Britive. These tokens are mapped to service identities within your Britive tenant.
86+
87+
At feature launch the following types of identity providers are supported for workload identity federation.
88+
89+
* Open ID Connect (OIDC)
90+
* AWS STS
91+
92+
`pybritive` offers some native integrations with the following services at the launch of this feature.
93+
94+
* Github Actions
95+
* AWS
96+
97+
It is possible to source an identity token from a different OIDC provider and explicitly set it via the `--token\-T` flag.
98+
However, if you are using one of the above providers, a shortcut is provided to abstract away the complexity of sourcing these tokens.
99+
Over time this list will grow. Reach out to your customer success manager if you have an identity provider you would like added to
100+
this list.
101+
102+
A couple of examples are below which illustrate how to use the above identity providers. Note that these commands will only work
103+
if they are being run within the context of the identity provider. Otherwise, the necessary data and connections will not be
104+
present in the execution environment.
105+
106+
~~~bash
107+
# github actions
108+
pybritive checkout "profile" --federation-provider github # use github actions with the default OIDC audience
109+
pybritive checkout "profile" --federation-provider github-audience # use github actions with a custom OIDC audience
110+
pybritive checkout "profile" --federation-provider github-audience_expirationseconds # use github actions with a custom OIDC audience and set the Britive expiration (in seconds) of the generated token
111+
pybritive checkout "profile" --federation-provider github_expirationseconds # use github actions with the default OIDC audience and set the Britive expiration (in seconds) of the generated token
112+
113+
# aws sts
114+
pybritive checkout "profile" --federation-provider aws # use aws sts without an AWS CLI profile (source credentials via the standard credential discovery process)
115+
pybritive checkout "profile" --federation-provider aws-profile # use aws sts with an AWS CLI profile
116+
pybritive checkout "profile" --federation-provider aws-profile_expirationseconds # use aws sts with an AWS CLI profile and set the Britive expiration (in seconds) of the generated token
117+
pybritive checkout "profile" --federation-provider aws_expirationseconds # use aws sts without an AWS CLI profile and set the Britive expiration (in seconds) of the generated token
118+
~~~
119+
120+
In general the field format for `--federation-provider` is `provider-[something provider specific]_[duration in seconds]`.
121+
77122
## Credential Stores
78123

79124
The CLI currently offers two ways in which temporary credentials obtained via interactive login can be stored.

0 commit comments

Comments
 (0)