How can i access api key metadata inside an action

Is there any way I can access the API key metadata inside a python action?

@n_kos you can make an API call to access the metadata:

@nmaludy My bad I was not clear enough. I would like to access metadata of the API key that called the action.

@n_kos the API key is set as an environment variable ST2_API_KEY when the python action is called. You can read this from os.environ['ST2_API_KEY'] you can then use this to query for the metadata using the API endpoint i linked above.

To use the API key as auth for the API see this: Authentication — StackStorm 2.6.0 documentation

Alternative is to use st2client py bindings, which again calls the beforementioned REST API.

Following the Datastore — StackStorm 2.6.0 documentation analogy as a base example of using st2client:

>>> from st2client.client import Client
>>> client = Client(base_url='http://localhost', token='abcde123456')
>>> client.apikeys.get_all()
[<ApiKey id=5a383c27e9178d4967e81931,user=st2admin,metadata={}>, <ApiKey id=5aaa6d6de9178d0867016896,user=st2admin,metadata={}>]

In a python action itself, you have access to temporary ST2_ACTION_AUTH_TOKEN env variable and can use that in context for auth, see Actions — StackStorm 2.6.0 documentation


@nmaludy I can only see ST2_ACTION_AUTH_TOKEN and ST2_AUTH_TOKEN. I initiate the action with:
/executions/ endpoint. I use the St2-Api-Key in the header for authentication

Talking about obtaining an API Key meta which triggered an execution, - I’m not exactly sure, but it’s possible that the action was triggered based on API token, but not the API key or vice-versa. So there is no way to know at the moment from the users’s perspective.

There must be however some ways to lookup which user initiated an execution aka owner (something that stands behind Key or Token).

I don’t know how to make new users so I thought adding them on metadata. How can I create new users?

You can rely on .htpasswd auth which is default if you didn’t change your auth backend in st2.conf, see: Configure Authentication.
There are other auth backends available in StackStorm Enterprise version like LDAP.

Then in action meta you can use {{action_context.user}} (Actions — StackStorm 2.6.0 documentation) which will show the StackStorm user who initiated the call.

@n_kos Eugen is right. More context: Right now, the user data model is created on first successful authentication. For authentication backend, you can simply use a flat file backend or even LDAP. Once a user successfully logins, a user data model is created in DB. API keys can then be created by the user post successful login as long as the admin allows you to do this via RBAC (if you don’t have RBAC, any authenticated user can create API keys). A single user can create as many API keys - one for each integration.

So to answer your question simply - Adding a user is same as adding an entry in authentication backend that will allow user to talk to stackstorm.

Thank you for your answers!

As I can see I can only create roles through yaml files statically. Is there any way that I can create permissions or roles dynamically?

You can dynamically assign roles based upon LDAP group membership. Is that the sort of dynamic assignment you’re thinking of?

If not, how are you thinking about obtaining that information to map users to roles?

I am actually thinking of dynamically on runtime allow action execution to a User so I can decide what a user can execute. Should I create a role for every Action?

Mind opening another issue because the title of the post and the recent discussion aren’t matching? When you open a new issue, please add more context to what you are doing? You jumped right to a solution you have in mind and asking questions about it. Perhaps, it’s good for us to collectively figure out what pattern would help you.