feat: add GRN_ACCESS_KEY_ID/GRN_SECRET_ACCESS_KEY env var support

Author: tytv2

CLAUDE.md

@@ -80,7 +80,7 @@ go/
 ## Security rules
 
 - **Credential masking**: `configure list` and `configure get` mask client_id/client_secret (last 4 chars only)
-- **No credential env vars**: `GRN_CLIENT_ID`/`GRN_CLIENT_SECRET` not supported — file only
+- **Credential env vars supported**: `GRN_ACCESS_KEY_ID`/`GRN_SECRET_ACCESS_KEY` override credentials file (highest priority)
 - **Input validation**: All cluster-id/nodegroup-id validated via `validator.ValidateID()` before URLs
 - **SSL default on**: `--no-verify-ssl` prints warning to stderr
 - **Tokens in memory only**: Never written to disk or logged

README.md

@@ -43,7 +43,17 @@ grn --version
 
 ### Configuration
 
-Before using the GreenNode CLI, you need to configure your credentials. The quickest way is to run:
+Before using the GreenNode CLI, you need to configure your credentials. There are three ways:
+
+**Method 1: Environment variables**
+
+```bash
+export GRN_ACCESS_KEY_ID=your-client-id
+export GRN_SECRET_ACCESS_KEY=your-client-secret
+export GRN_DEFAULT_REGION=HCM-3
+```
+
+**Method 2: Interactive setup (recommended)**
 
 ```bash
 grn configure
@@ -56,9 +66,7 @@ Default region name [HCM-3]:
 Default output format [json]:
 ```
 
-Credentials are obtained from the [VNG Cloud IAM Portal](https://hcm-3.console.vngcloud.vn/iam/) under Service Accounts.
-
-Or create the credential files directly:
+**Method 3: Credentials file (manual)**
 
 ```ini
 # ~/.greenode/credentials
@@ -74,14 +82,18 @@ region = HCM-3
 output = json
 ```
 
+Credentials are obtained from the [VNG Cloud IAM Portal](https://hcm-3.console.vngcloud.vn/iam/) under Service Accounts.
+
+Credential resolution order: environment variables take priority over the credentials file.
+
 To use multiple profiles:
 
 ```bash
 grn configure --profile staging
 grn --profile staging vks list-clusters
 ```
 
-For more configuration options, see the [Configuration Guide](https://vngcloud.github.io/greennode-cli/configuration/).
+For more configuration options, see the [Configuration Guide](https://vngcloud.github.io/greenode-cli/configuration/).
 
 ### Basic Commands
 
@@ -120,7 +132,7 @@ The best way to interact with our team is through GitHub:
 
 ## More Resources
 
-- [Documentation](https://vngcloud.github.io/greennode-cli/)
+- [Documentation](https://vngcloud.github.io/greenode-cli/)
 - [Changelog](CHANGELOG.md)
 - [Contributing Guide](CONTRIBUTING.md)
 - [VNG Cloud Console](https://hcm-3.console.vngcloud.vn/)

docs/configuration.md

@@ -17,6 +17,37 @@ Default output format [json]:
 
 Credentials are obtained from the [VNG Cloud IAM Portal](https://hcm-3.console.vngcloud.vn/iam/) under Service Accounts.
 
+## Credential resolution order
+
+Credentials are resolved in the following order (highest to lowest priority):
+
+1. **Environment variables**: `GRN_ACCESS_KEY_ID`, `GRN_SECRET_ACCESS_KEY`
+2. **Shared credentials file**: `~/.greenode/credentials`
+
+## Environment variables
+
+| Variable | Description |
+|----------|-------------|
+| `GRN_ACCESS_KEY_ID` | Client ID (overrides credentials file) |
+| `GRN_SECRET_ACCESS_KEY` | Client Secret (overrides credentials file) |
+| `GRN_DEFAULT_REGION` | Default region |
+| `GRN_PROFILE` | Profile name (default: "default") |
+| `GRN_DEFAULT_OUTPUT` | Output format |
+
+Environment variables take priority over config file values.
+
+### Example
+
+```bash
+# Set credentials via environment variables
+export GRN_ACCESS_KEY_ID=your-client-id
+export GRN_SECRET_ACCESS_KEY=your-client-secret
+export GRN_DEFAULT_REGION=HCM-3
+
+# Commands will use env var credentials automatically
+grn vks list-clusters
+```
+
 ## Config files
 
 Credentials and config are stored in separate files:
@@ -80,16 +111,6 @@ export GRN_PROFILE=staging
 grn vks list-clusters
 ```
 
-## Environment variables
-
-| Variable | Description |
-|----------|-------------|
-| `GRN_DEFAULT_REGION` | Default region |
-| `GRN_PROFILE` | Profile name |
-| `GRN_DEFAULT_OUTPUT` | Output format |
-
-Environment variables take priority over config file values.
-
 ## Available regions
 
 | Region | VKS Endpoint |

docs/usage/global-options.md

@@ -6,6 +6,10 @@ Global options are placed before the service name:
 grn [global-options] <service> <command> [command-options]
 ```
 
+## Environment variables
+
+Global options can also be set via environment variables. See the [Configuration Guide](../configuration.md#environment-variables) for the full list, including `GRN_ACCESS_KEY_ID` and `GRN_SECRET_ACCESS_KEY` for credential overrides.
+
 ## Options
 
 | Option | Description |

go/cmd/configure/list.go

@@ -70,6 +70,18 @@ func resolveCredEntry(name, value, credsFile string) configEntry {
 	if value == "" {
 		return configEntry{name: name, value: "<not set>", typ: "None", location: "None"}
 	}
+
+	// Check if value came from env var
+	envMap := map[string]string{
+		"client_id":     "GRN_ACCESS_KEY_ID",
+		"client_secret": "GRN_SECRET_ACCESS_KEY",
+	}
+	if envVar, ok := envMap[name]; ok {
+		if os.Getenv(envVar) != "" {
+			return configEntry{name: name, value: config.MaskCredential(value), typ: "env", location: envVar}
+		}
+	}
+
 	home, _ := os.UserHomeDir()
 	loc := "~" + credsFile[len(home):]
 	return configEntry{name: name, value: config.MaskCredential(value), typ: "config-file", location: loc}

go/internal/config/config.go

@@ -52,19 +52,32 @@ func LoadConfig(profile string) (*Config, error) {
 		Regions: REGIONS,
 	}
 
-	// Load credentials
-	credsFile := filepath.Join(configDir, "credentials")
-	if _, err := os.Stat(credsFile); err == nil {
-		iniCreds, err := ini.Load(credsFile)
-		if err != nil {
-			return nil, fmt.Errorf("failed to parse credentials file: %w", err)
-		}
-		section, err := iniCreds.GetSection(profile)
-		if err != nil {
-			return nil, fmt.Errorf("profile '%s' does not exist in %s", profile, credsFile)
+	// Load credentials — env vars override file
+	if v := os.Getenv("GRN_ACCESS_KEY_ID"); v != "" {
+		cfg.ClientID = v
+	}
+	if v := os.Getenv("GRN_SECRET_ACCESS_KEY"); v != "" {
+		cfg.ClientSecret = v
+	}
+
+	if cfg.ClientID == "" || cfg.ClientSecret == "" {
+		credsFile := filepath.Join(configDir, "credentials")
+		if _, err := os.Stat(credsFile); err == nil {
+			iniCreds, err := ini.Load(credsFile)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse credentials file: %w", err)
+			}
+			section, err := iniCreds.GetSection(profile)
+			if err != nil {
+				return nil, fmt.Errorf("profile '%s' does not exist in %s", profile, credsFile)
+			}
+			if cfg.ClientID == "" {
+				cfg.ClientID = section.Key("client_id").String()
+			}
+			if cfg.ClientSecret == "" {
+				cfg.ClientSecret = section.Key("client_secret").String()
+			}
 		}
-		cfg.ClientID = section.Key("client_id").String()
-		cfg.ClientSecret = section.Key("client_secret").String()
 	}
 
 	// Load config file