Merge branch 'main' into oas-bot-19498933148/pim

Author: cgoetz-inovex

.github/dependabot.yml

@@ -13,6 +13,7 @@
   "repositories": [
     "stackitcloud/stackit-sdk-go"
   ],
+  "minimumReleaseAge": "7d",
   "enabledManagers": [
     "gomod",
     "github-actions"
@@ -22,7 +23,8 @@
       "matchSourceUrls": [
         "https://github.com/stackitcloud/stackit-sdk-go"
       ],
-      "groupName": "SDK"
+      "groupName": "SDK",
+      "minimumReleaseAge": "0d"
     }
   ],
   "allowedCommands": [

.github/renovate.json

@@ -8,7 +8,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest]
-        go-version: ["1.21", "1.22", "1.23"]
+        go-version: ["1.21", "1.22", "1.23", "1.24", "1.25"]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout

.github/workflows/ci.yaml

@@ -11,6 +11,7 @@ on:
 env:
   DAYS_BEFORE_PR_STALE: 7
   DAYS_BEFORE_PR_CLOSE: 7
+  EXEMPT_PR_LABELS: "ignore-stale"
 
 permissions:
   issues: write
@@ -30,6 +31,7 @@ jobs:
           close-pr-message: "This PR was closed automatically because it has been stalled for ${{ env.DAYS_BEFORE_PR_CLOSE }} days with no activity. Feel free to re-open it at any time."
           days-before-pr-stale: ${{ env.DAYS_BEFORE_PR_STALE }}
           days-before-pr-close: ${{ env.DAYS_BEFORE_PR_CLOSE }}
+          exempt-pr-labels: ${{ env.EXEMPT_PR_LABELS }}
           # never mark issues as stale or close them
           days-before-issue-stale: -1
           days-before-issue-close: -1

.github/workflows/stale.yaml

@@ -44,9 +44,12 @@ sync-tidy: ## Sync and tidy dependencies
 	@echo ">> Syncing and tidying dependencies"
 	@$(SCRIPTS_BASE)/sync-tidy.sh
 
-lint: sync-tidy ## Lint all code
+lint: sync-tidy lint-versions ## Lint all code
 	@$(MAKE) --no-print-directory lint-golangci-lint skip-non-generated-files=${skip-non-generated-files} service=${service}
 
+lint-versions:
+	@go run $(SCRIPTS_BASE)/lint-versions.go
+
 # TEST
 test-go: ## Run Go tests
 	@echo ">> Running Go tests"
@@ -59,10 +62,3 @@ test-scripts: ## Run tests for scripts
 test: ## Run all tests
 	@$(MAKE) --no-print-directory test-go skip-non-generated-files=${skip-non-generated-files} service=${service}
 
-# AUTOMATIC TAG
-sdk-tag-services:
-	@go run $(SCRIPTS_BASE)/automatic_tag.go --update-type ${update-type} --ssh-private-key-file-path ${ssh-private-key-file-path};
-
-
-sdk-tag-core: 
-	@go run $(SCRIPTS_BASE)/automatic_tag.go --update-type ${update-type} --ssh-private-key-file-path ${ssh-private-key-file-path} --target core;

CHANGELOG.md

@@ -99,7 +99,7 @@ More examples on other services, configuration and authentication possibilities
 
 ## Authentication
 
-To authenticate with the SDK, you need a [service account](https://docs.stackit.cloud/stackit/en/service-accounts-134415819.html) with appropriate permissions (e.g., `project.owner`, see [here](https://docs.stackit.cloud/stackit/en/assign-permissions-to-a-service-account-134415855.html)). You can create a service account through the STACKIT Portal.
+To authenticate with the SDK, you need a [service account](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/) with appropriate permissions (e.g., `project.owner`, see [here](https://docs.stackit.cloud/platform/access-and-identity/roles-permissions/assign-roles-to-account/)). You can create a service account through the STACKIT Portal.
 
 ### Authentication Methods
 
@@ -130,8 +130,8 @@ For each authentication method, the key flow is attempted first, followed by the
 1. Create a service account key in the STACKIT Portal:
 
    - Navigate to `Service Accounts` → Select account → `Service Account Keys` → Create key
-   - You can either let STACKIT generate the key pair or provide your own RSA key pair (see [Creating an RSA key-pair](https://docs.stackit.cloud/stackit/en/usage-of-the-service-account-keys-in-stackit-175112464.html#UsageoftheserviceaccountkeysinSTACKIT-CreatinganRSAkey-pair) for more details)
-   - **Note**: it's also possible to create the service account key in other ways (see [Tutorials for Service Accounts](https://docs.stackit.cloud/stackit/en/tutorials-for-service-accounts-134415861.html) for more details)
+   - You can either let STACKIT generate the key pair or provide your own RSA key pair (see [Creating an RSA key-pair](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/how-tos/manage-service-account-keys/) for more details)
+   - **Note**: it's also possible to create the service account key in other ways (see [Tutorials for Service Accounts](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/how-tos/manage-service-accounts/) for more details)
 
 2. Save the service account key JSON:
 
@@ -194,7 +194,7 @@ For each authentication method, the key flow is attempted first, followed by the
 1. Create an access token in the STACKIT Portal:
 
    - Navigate to `Service Accounts` → Select account → `Access Tokens` → Create token
-   - **Note**: it's also possible to create the service account access tokens in other ways (see [Tutorials for Service Accounts](https://docs.stackit.cloud/stackit/en/tutorials-for-service-accounts-134415861.html) for more details)
+   - **Note**: it's also possible to create the service account access tokens in other ways (see [Tutorials for Service Accounts](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/how-tos/get-access-token/) for more details)
 
 2. Configure authentication using any of these methods:
 
@@ -234,4 +234,4 @@ See the [release documentation](./RELEASE.md) for further information.
 
 ## License
 
-Apache 2.0
+Apache 2.0

Makefile

@@ -1,3 +1,10 @@
+## v0.21.0
+- **Deprecation:** KeyFlow `SetToken` and `GetToken` will be removed after 2026-07-01. Use GetAccessToken instead and rely on client refresh.
+- **Feature:** Support Workload Identity Federation flow
+
+## v0.20.1
+- **Improvement:** Improve error message when passing a PEM encoded file to as service account key
+
 ## v0.20.0
 - **New:** Added new `GetTraceId` function
 

README.md

@@ -1 +1 @@
-v0.20.0
+v0.21.0

core/CHANGELOG.md

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/stackitcloud/stackit-sdk-go/core/clients"
 	"github.com/stackitcloud/stackit-sdk-go/core/config"
@@ -50,6 +51,12 @@ func SetupAuth(cfg *config.Configuration) (rt http.RoundTripper, err error) {
 			return nil, fmt.Errorf("configuring no auth client: %w", err)
 		}
 		return noAuthRoundTripper, nil
+	} else if cfg.WorkloadIdentityFederation {
+		wifRoundTripper, err := WorkloadIdentityFederationAuth(cfg)
+		if err != nil {
+			return nil, fmt.Errorf("configuring no auth client: %w", err)
+		}
+		return wifRoundTripper, nil
 	} else if cfg.ServiceAccountKey != "" || cfg.ServiceAccountKeyPath != "" {
 		keyRoundTripper, err := KeyAuth(cfg)
 		if err != nil {
@@ -83,14 +90,18 @@ func DefaultAuth(cfg *config.Configuration) (rt http.RoundTripper, err error) {
 		cfg = &config.Configuration{}
 	}
 
-	// Key flow
-	rt, err = KeyAuth(cfg)
+	// WIF flow
+	rt, err = WorkloadIdentityFederationAuth(cfg)
 	if err != nil {
-		keyFlowErr := err
-		// Token flow
-		rt, err = TokenAuth(cfg)
+		// Key flow
+		rt, err = KeyAuth(cfg)
 		if err != nil {
-			return nil, fmt.Errorf("no valid credentials were found: trying key flow: %s, trying token flow: %w", keyFlowErr.Error(), err)
+			keyFlowErr := err
+			// Token flow
+			rt, err = TokenAuth(cfg)
+			if err != nil {
+				return nil, fmt.Errorf("no valid credentials were found: trying key flow: %s, trying token flow: %w", keyFlowErr.Error(), err)
+			}
 		}
 	}
 	return rt, nil
@@ -172,7 +183,11 @@ func KeyAuth(cfg *config.Configuration) (http.RoundTripper, error) {
 	var serviceAccountKey = &clients.ServiceAccountKeyResponse{}
 	err = json.Unmarshal([]byte(cfg.ServiceAccountKey), serviceAccountKey)
 	if err != nil {
-		return nil, fmt.Errorf("unmarshalling service account key: %w", err)
+		var errorSuffix string
+		if strings.HasPrefix(cfg.ServiceAccountKey, "-----BEGIN") {
+			errorSuffix = " - it seems like the provided service account key is in PEM format. Please provide it in JSON format."
+		}
+		return nil, fmt.Errorf("unmarshalling service account key: %w%s", err, errorSuffix)
 	}
 
 	// Try to get private key from configuration, environment or credentials file
@@ -216,6 +231,29 @@ func KeyAuth(cfg *config.Configuration) (http.RoundTripper, error) {
 	return client, nil
 }
 
+// WorkloadIdentityFederationAuth configures the wif flow and returns an http.RoundTripper
+// that can be used to make authenticated requests using an access token
+func WorkloadIdentityFederationAuth(cfg *config.Configuration) (http.RoundTripper, error) {
+	wifConfig := clients.WorkloadIdentityFederationFlowConfig{
+		TokenUrl:                      cfg.TokenCustomUrl,
+		BackgroundTokenRefreshContext: cfg.BackgroundTokenRefreshContext,
+		ClientID:                      cfg.ServiceAccountEmail,
+		TokenExpiration:               cfg.ServiceAccountFederatedTokenExpiration,
+		FederatedTokenFunction:        cfg.ServiceAccountFederatedTokenFunc,
+	}
+
+	if cfg.HTTPClient != nil && cfg.HTTPClient.Transport != nil {
+		wifConfig.HTTPTransport = cfg.HTTPClient.Transport
+	}
+
+	client := &clients.WorkloadIdentityFederationFlow{}
+	if err := client.Init(&wifConfig); err != nil {
+		return nil, fmt.Errorf("error initializing client: %w", err)
+	}
+
+	return client, nil
+}
+
 // readCredentialsFile reads the credentials file from the specified path and returns Credentials
 func readCredentialsFile(path string) (*Credentials, error) {
 	if path == "" {