Is there any way I can access the API key metadata inside a python action?
⚠️ We've moved!
Hi there!
To reduce project dependency on 3rd party paid services the StackStorm TSC has decided to move the Q/A from this forum to Github Discussions. This will make user experience better integrated with the native Github flow, as well as the questions closer to the community where they can provide answers.
Use 🔗 Github Discussions to ask your questions.
@n_kos you can make an API call to access the metadata: https://api.stackstorm.com/api/v1/apikeys/#/api_key_controller.get_one
@nmaludy My bad I was not clear enough. I would like to access metadata of the API key that called the action.
@n_kos the API key is set as an
environment variable ST2_API_KEY when the python action is called. You can read this from os.environ['ST2_API_KEY']
you can then use this to query for the metadata using the API endpoint i linked above.
To use the API key as auth for the API see this: Authentication — StackStorm 2.6.0 documentation
Alternative is to use st2client
py bindings, which again calls the beforementioned REST API.
Following the Datastore
— StackStorm 2.6.0 documentation analogy as a base example of using st2client
:
>>> from st2client.client import Client
>>> client = Client(base_url='http://localhost', token='abcde123456')
>>> client.apikeys.get_all()
[<ApiKey id=5a383c27e9178d4967e81931,user=st2admin,metadata={}>, <ApiKey id=5aaa6d6de9178d0867016896,user=st2admin,metadata={}>]
In a python action itself, you have access to temporary ST2_ACTION_AUTH_TOKEN
env variable
and can use that in context for auth
, see Actions
— StackStorm 2.6.0 documentation
Resources:
- CLI to show REST API calls:
st2 --debug apikey list
- st2/auth.py at master · StackStorm/st2 · GitHub - st2client source
- Actions — StackStorm 2.6.0 documentation - env vars available to actions
- Datastore — StackStorm 2.6.0 documentation - basic st2client usage example
-
stackstorm-st2/actions
at master · StackStorm-Exchange/stackstorm-st2 · GitHub -
st2
pack code samples which usesst2client
behind the hood
@nmaludy I can only see
ST2_ACTION_AUTH_TOKEN and ST2_AUTH_TOKEN. I initiate the action with:
/executions/ endpoint. I use the St2-Api-Key in the header for authentication
Talking about obtaining an API Key meta which triggered an execution, - I’m not exactly sure, but it’s possible that the action was triggered based on API token, but not the API key or vice-versa. So there is no way to know at the moment from the users’s perspective.
There must be however some ways to lookup which user
initiated an execution aka owner
(something that stands behind Key or Token).
I don’t know how to make new users so I thought adding them on metadata. How can I create new users?
You can rely on .htpasswd
auth which is default if you didn’t change your auth backend in
st2.conf
, see: Configure
Authentication.
There are other auth backends available in StackStorm Enterprise version like LDAP
.
Then in action meta you can use {{action_context.user}}
(Actions — StackStorm 2.6.0
documentation) which will show the StackStorm user who initiated the call.
@n_kos Eugen is right. More context: Right now, the user data model is created on first successful authentication. For authentication backend, you can simply use a flat file backend or even LDAP. Once a user successfully logins, a user data model is created in DB. API keys can then be created by the user post successful login as long as the admin allows you to do this via RBAC (if you don’t have RBAC, any authenticated user can create API keys). A single user can create as many API keys - one for each integration.
So to answer your question simply - Adding a user is same as adding an entry in authentication backend that will allow user to talk to stackstorm.
Thank you for your answers!
As I can see I can only create roles through yaml files statically. Is there any way that I can create permissions or roles dynamically?
You can dynamically assign roles based upon LDAP group membership. Is that the sort of dynamic assignment you’re thinking of?
If not, how are you thinking about obtaining that information to map users to roles?
I am actually thinking of dynamically on runtime allow action execution to a User so I can decide what a user can execute. Should I create a role for every Action?
Mind opening another issue because the title of the post and the recent discussion aren’t matching? When you open a new issue, please add more context to what you are doing? You jumped right to a solution you have in mind and asking questions about it. Perhaps, it’s good for us to collectively figure out what pattern would help you.