Authenticating Idem with providers#

To authenticate to different environments, Idem uses a credentials file that you create.

Credentials file format#

You store credentials in a credentials.yaml file that follows this pattern:

environment_1:
    default_profile:
        key_1: value_1
        key_2: value_2
    profile_2:
        key_1: value_1
        key_2: value_2
environment_2:
    default_profile:
        key_1: value_1
        key_2: value_2
    profile_2:
        key_1: value_1
        key_2: value_2

For example:

aws:
  default:
    aws_access_key_id: xxxxxxxxxxxxxxxxx
    aws_secret_access_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    region_name: us-east-1
  test_account:
    aws_access_key_id: xxxxxxxxxxxxxxxxx
    aws_secret_access_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    region_name: us-west-1
azure:
  default:
    client_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    subscription_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    tenant: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  demo_account:
    client_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    subscription_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    tenant: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

The environments correspond to your installed plug-ins. See Connecting Idem to providers.

Creating and encrypting a credentials file#

To create and use a credentials file, take the following steps.

  1. Create a credentials.yaml file that follows the preceding pattern.

    Be sure to include a default profile. You aren’t strictly required to name it default, but the first profile is considered the default regardless of name.

  2. Although not strictly required, usually you encrypt the finished credentials file.

    idem encrypt /path/to/credentials.yaml

    The command creates the encrypted credentials.yaml.fernet file and outputs an alphanumeric decryption key.

  3. Save or make note of the key.

Note

If you need to restore back to a readable and editable credentials.yaml file, you can decrypt the fernet file.

idem decrypt /path/to/credentials.yaml.fernet

Authenticating with the credentials file#

To authenticate, Idem needs the location of the encrypted fernet file and the key.

To make them silently available, you can add the file location and key as ACCT_FILE and ACCT_KEY environment variables for your session:

Linux:

export ACCT_FILE=/path/to/credentials.yaml.fernet
export ACCT_KEY=alphanumeric_key

Windows PowerShell:

$env:ACCT_FILE = "drive:\path\to\credentials.yaml.fernet"
$env:ACCT_KEY = "alphanumeric_key"

Alternatively, you can add them as permanent environment variables in your login profile.

If you don’t want to store the file location or key, you can separately add --acct-file and --acct-key arguments to your Idem command:

idem describe azure.compute.virtual_machines --acct-file /path/to/credentials.yaml.fernet --acct-key alphanumeric_key

Authenticating as a different login profile#

When authenticating, the default profile is used unless you specify a different one with the --acct-profile argument:

idem describe azure.compute.virtual_machines --acct-profile demo_account

The preceding command uses the demo_account to authenticate every state in the state file. To authenticate as different profiles within one state file, use acct_profile inside the state file:

my-state-1:
  aws.ec2.instance.present:
     . . .
    - acct_profile: demo_account_1

my-state-2:
  aws.ec2.instance.present:
     . . .
    - acct_profile: demo_account_2

Your credentials.yaml file must include the non-default profiles that you specify.