{"id":13507978,"url":"https://github.com/iits-consulting/otc-auth","last_synced_at":"2025-07-26T10:07:22.735Z","repository":{"id":63360074,"uuid":"567240808","full_name":"iits-consulting/otc-auth","owner":"iits-consulting","description":"Open Source CLI for the Open Telekom Cloud written in go.","archived":false,"fork":false,"pushed_at":"2024-12-12T00:19:30.000Z","size":44482,"stargazers_count":45,"open_issues_count":7,"forks_count":5,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-12-12T01:22:14.616Z","etag":null,"topics":["cli","otc"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/iits-consulting.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-17T11:26:07.000Z","updated_at":"2024-12-11T10:34:58.000Z","dependencies_parsed_at":"2024-04-19T13:43:04.404Z","dependency_job_id":"13c35d7d-7270-46ba-b992-32a0b73190ae","html_url":"https://github.com/iits-consulting/otc-auth","commit_stats":null,"previous_names":[],"tags_count":27,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iits-consulting%2Fotc-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iits-consulting%2Fotc-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iits-consulting%2Fotc-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iits-consulting%2Fotc-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/iits-consulting","download_url":"https://codeload.github.com/iits-consulting/otc-auth/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230561013,"owners_count":18245324,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","otc"],"created_at":"2024-08-01T02:00:44.868Z","updated_at":"2025-07-26T10:07:22.710Z","avatar_url":"https://github.com/iits-consulting.png","language":"Go","funding_links":[],"categories":["Projects"],"sub_categories":["Identity access management (IAM)"],"readme":"# OTC-Auth\n\nOpen Source CLI for the Authorization with the Open Telekom Cloud.\n\n[![License: GPLv3](https://img.shields.io/badge/GitHub-GPL--3.0-informational)](https://github.com/iits-consulting/otc-auth/blob/main/LICENSE)\n![Build](https://github.com/iits-consulting/otc-auth/workflows/Build/badge.svg)\n[![Go Report Card](https://goreportcard.com/badge/github.com/iits-consulting/otc-auth)](https://goreportcard.com/report/github.com/iits-consulting/otc-auth)\n![CodeQL](https://github.com/iits-consulting/otc-auth/workflows/CodeQL/badge.svg)\n![ViewCount](https://views.whatilearened.today/views/github/iits-consulting/otc-auth.svg)\n\nWith this CLI you can log in to the OTC through its Identity Access Manager (IAM) or through an external Identity\nProvider (IdP) in order to get an unscoped token. The allowed protocols for IdP login are SAML and OIDC. When logging in\ndirectly with Telekom's IAM it is also possible to use Multi-Factor Authentication (MFA) in the process.\n\nAfter you have retrieved an unscoped token, you can use it to get a list of the clusters in a project from the Cloud\nContainer Engine (CCE) and also get the remote kube config file and merge with your local file.\n\nThis tool can also be used to manage (create) a pair of Access Key/ Secret Key in order to make requests more secure.\n\n## Table of contents\n\n* [Demo](#demo)\n* [Install](#install)\n * [Linux/BSD/Unix](#linuxbsdunix)\n * [Mac](#macos)\n * [Windows/Other](#windowsother)\n* Usage\n * [Login](#login)\n * [Service Provider Login (IAM)](#service-provider-login-iam)\n * [Identity Provider Login (IdP)](#identity-provider-login-idp)\n * [External IdP and SAML](#external-idp-and-saml)\n * [External IdP and OIDC](#external-idp-and-oidc)\n * [Service Account via external IdP and OIDC](#service-account-via-external-idp-and-oidc)\n * [OIDC Scopes](#oidc-scopes)\n * [Remove Login](#remove-login)\n * [List Projects](#list-projects)\n * [Cloud Container Engine](#cloud-container-engine)\n * [Manage Access Key and Secret Key Pair](#manage-access-key-and-secret-key-pair)\n * [Openstack Integration](#openstack-integration)\n * [Environment Variables](#environment-variables)\n * [Auto-Completions](#auto-completions)\n * [Debugging](#debugging)\n\n## Demo\n\nhttps://user-images.githubusercontent.com/19291722/208880256-b0da924e-254e-4bc4-b9ee-396c43234a5b.mp4\n\n## Install\n\n### Linux/BSD/Unix\n\nWe have repos set up\nfor [Arch](https://aur.archlinux.org/packages/otc-auth), [Debian](https://github.com/iits-consulting/ppa), [Fedora](https://github.com/iits-consulting/rpm-repo)\nand [⚠️Alpine](https://github.com/iits-consulting/apk-repo).\n\nAlternatively, you can download and use the binaries from our [releases page](https://github.com/iits-consulting/otc-auth/releases). Remember to add it to your PATH! Replace {OTC_AUTH_VERSION} and {YOUR_PLATFORM} in the example below with the version you want to download and the platform you want to download it for.\n```shell\ncurl -OL https://github.com/iits-consulting/otc-auth/releases/download/{OTC_AUTH_VERSION}/otc-auth_{YOUR_PLATFORM}.tar.gz\ntar -xf otc-auth_{YOUR_PLATFORM}.tar.gz\nsudo mv otc-auth /usr/local/bin/otc-auth 1\n```\n\n### MacOS\nWe recommend using our [brew](https://brew.sh) tap to install otc-auth. \n\n```shell\nbrew tap iits-consulting/homebrew-tap\nbrew install otc-auth\n```\n\nIf you don't want to use brew, feel free to download the binary for your system from the [releases page](https://github.com/iits-consulting/otc-auth/releases). Remember to add it to your PATH!\n\n### Windows/Other\n\nDownload the binary for your system from the [releases page](https://github.com/iits-consulting/otc-auth/releases).\nUnpack the binary, add it to your PATH and you are good to go!\n\n## Login\n\nUse the `login` command to retrieve an unscoped token either by logging in directly with the Service Provider or through\nan IdP. You can see the help page by entering `login --help` or `login -h`. There are three log in\noptions (`iam`, `idp-saml`, and `idp-oidc`) and one of them must be provided.\n\n### Service Provider Login (IAM)\n\nTo log in directly with the Open Telekom Cloud's IAM, you will have to supply the domain name you're attempting to log\nin to (usually starting with \"OTC-EU\", following the region and a longer identifier), your username and password.\n\n```bash\notc-auth login iam --os-username \u003cusername\u003e --os-password \u003cpassword\u003e --os-domain-name \u003cdomain_name\u003e --region \u003cregion\u003e\n```\n\nAdditionally, it is possible to use MFA if needed. In this case, both\narguments `--os-user-domain-id` and `--totp`, are required (with `--os-user-domain-id` replacing `--os-username`). \nThe user id can be obtained in the \"My Credentials\" page on the OTC.\n\n```bash\notc-auth login iam --os-password \u003cpassword\u003e --os-domain-name \u003cdomain_name\u003e --os-user-domain-id \u003cuser_domain_id\u003e --totp \u003c6_digit_token\u003e --region \u003cregion\u003e\n```\n\nThe OTP Token is 6-digits long and refreshes every 30 seconds. For more information on MFA please refer to\nthe [OTC's documentation](https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_10_0002.html).\n\n### Identity Provider Login (IdP)\n\nYou can log in with an external IdP using either the `saml` or the `oidc` protocols. In both cases you will need to\nspecify the authorization URL, the name of the Identity Provider (as set on the OTC), as well as username and password\nfor the SAML login and client id (and optionally client secret) for the OIDC login flow.\n\n#### External IdP and SAML\n\nThe SAML login flow is SP initiated and requires you to send username and password to the SP. The SP then authorizes you\nwith the configured IdP and returns either an unscoped token or an error, if the user is not allowed to log in.\n\n```bash\notc-auth login idp-saml --os-username \u003cusername\u003e --os-password \u003cpassword\u003e --idp-name \u003cidp_name\u003e --idp-url \u003cauthorization_url\u003e --os-domain-name \u003cos_domain_name\u003e --region \u003cregion\u003e\n```\n\nAt the moment, no MFA is supported for this login flow.\n\n#### External IdP and OIDC\n\nThe OIDC login flow is user initiated and will open a browser window with the IdP's authorization URL for the user to\nlog in as desired. This flow does support MFA (this requires it to be configured on the IdP). After being successfully\nauthenticated with the IdP, the SP will be contacted with the corresponding credentials and will return either an\nunscoped token or an error, if the user is not allowed to log in.\n\n```bash\notc-auth login idp-oidc --idp-name \u003cidp_name\u003e --idp-url \u003cauthorization_url\u003e --client-id \u003cclient_id\u003e --os-domain-name \u003cos_domain_name\u003e --region \u003cregion\u003e [--client-secret \u003cclient_secret\u003e]\n```\n\nThe argument `--client-id` is required, but the argument `--client-secret` is only needed if configured on the IdP.\n\n#### Service Account via external IdP and OIDC\n\nIf you have set up your IdP to provide service accounts then you can utilize service account with `otc-auth` too. Make\nalso sure that the IdP is correctly configured in the OTC Identity and Access Management. Then run the `otc-auth` as\nfollows:\n\n```bash\notc-auth login idp-oidc \\\n --idp-name NameOfClientInIdp \\\n --idp-url IdpAuthUrl \\\n --os-domain-name YourDomainName \\\n --region YourRegion \\\n --client-id NameOfIdpInOtcIam \\\n --client-secret ClientSecretForTheClientInIdp \\\n --service-account\n```\n\n### OIDC Scopes\n\nThe OIDC scopes can be configured if required. To do so simply provide one of the following two when logging in\nwith `idp-oidc`:\n\n- provide the flag `--oidc-scopes pleasePut,HereAll,YourScopes,WhichYouNeed`\n- provide the environment variable `export OIDC_SCOPES=\"pleasePut,HereAll,YourScopes,WhichYouNeed\"`\n\nThe default value is `openid,profile,roles,name,groups,email`\n\n### Remove Login\n\nClouds are differentiated by their identifier `--os-domain-name`. To delete a cloud, use the `remove` command.\n\n```bash\notc-auth login remove --os-domain-name \u003cos_domain_name\u003e --region \u003cregion\u003e\n```\n\n## List Projects\n\nIt is possible to get a list of all projects in the current cloud. For that, use the following command.\n\n```bash\notc-auth projects list\n```\n\n## Cloud Container Engine\n\nUse the `cce` command to retrieve a list of available clusters in your project and/or get the remote kube configuration\nfile. You can see the help page by entering `cce --help` or `cce -h`.\n\nTo retrieve a list of clusters for a project use the following command. The project name will be checked against the\nones in the cloud at the moment of the request.\nIf the desired project isn't found, you will receive an error message.\n\n```bash\notc-auth cce list --os-domain-name \u003cos_domain_name\u003e --region \u003cregion\u003e --os-project-name \u003cproject_name\u003e\n```\n\nTo retrieve the remote kube configuration file (and merge it to your local one) use the following command:\n\n```bash\notc-auth cce get-kube-config --os-domain-name \u003cos_domain_name\u003e --region \u003cregion\u003e --os-project-name \u003cproject_name\u003e --cluster \u003ccluster_name\u003e\n```\n\nYou could also pass the `--days-valid` argument to set the period of days the configuration will be valid for, with the\ndefault being 7 days. The `-s` or `--server` argument could also be used to override the *server* attribute in the\nconfig generated.\n\n## Manage Access Key and Secret Key Pair\n\nYou can use the OTC-Auth tool to download permanent AK/SK pairs directly from the OTC. A file called \"ak-sk-env.sh\" will\nbe created in the current directory. The file contains four environment variables.\n\n```bash\notc-auth access-token create --os-domain-name \u003cos_domain_name\u003e\n```\n\nIf a temporary AK/SK pair is needed instead, use the following command:\n\n```bash\notc-auth temp-access-token create --os-domain-name \u003cos_domain_name\u003e -t \u003clifetime in seconds\u003e\n```\n\nThis will generate a temporary AK/SK pair (valid for 15m by default, if the `-t` argument is not given), saved to \"\nak-sk-env.sh\".\nThe file will contain five environment variables.\n\nThe \"ak-sk-env.sh\" file must then be `source`-ed before you can start using the environment variables.\n\n## Openstack Integration\n\nThe OTC-Auth tool is able to generate the clouds.yaml config file for openstack. With this file it is possible to\nreuse the clouds.yaml with terraform.\n\nIf you execute this command\n\n```bash\notc-auth openstack config-create\n```\n\nIt will create a cloud config for every project which you have access to and generate a scoped token. After that it\noverrides\nthe clouds.yaml (by default: ~/.config/openstack/clouds.yaml) file.\n\n## Environment Variables\n\nThe OTC-Auth tool also provides environment variables for all the required arguments. For the sake of compatibility,\nthey are aligned with the Open Stack environment variables (starting with OS).\n\n| Environment Variable | Argument | Short | Description |\n|-----------------------|---------------------------|:-----:|-----------------------------------------------|\n| CLIENT_ID | `--client-id` | `c` | Client id as configured on the IdP |\n| CLIENT_SECRET | `--client-secret` | `s` | Client secret as configured on the IdP |\n| CLUSTER_NAME | `--cluster` | `c` | Cluster name on the OTC |\n| OS_DOMAIN_NAME | `--os-domain-name` | `d` | Domain Name from OTC Tenant |\n| REGION | `--region` | `r` | Region code for the cloud (eu-de for example) |\n| OS_PASSWORD | `--os-password` | `p` | Password (iam or idp) |\n| OS_PROJECT_NAME | `--os-project-name` | `p` | Project name on the OTC |\n| OS_USER_DOMAIN_ID | `--os-user-domain-id` | `i` | User id from OTC Tenant |\n| OS_USERNAME | `--os-username` | `u` | Username (iam or idp) |\n| IDP_NAME | `--idp-name` | `i` | Identity Provider name (as configured on OTC) |\n| IDP_URL | `--idp-url` | N/A | Authorization endpoint on the IDP |\n| SKIP_TLS_VERIFICATION | `--skip-tls-verification` | N/A | Skips TLS Verification |\n\n## Auto-Completions\n\nYou install the auto completions for your shell by running. Please follow the instructions by\nrunning `otc-auth completion --help` in your terminal.\n\n## Debugging\n\nIs something not working the way you've expected? otc-auth uses [glog](https://pkg.go.dev/github.com/golang/glog) for logging with all info output at log-level 1.\nIn the following example, we'd like to have the logs from the OIDC login command be saved to our current directory:\n\n```bash\notc-auth login idp-oidc -v 1 --log_dir .\n```\n\nWe could also just print the logs to stderr instead of writing them to a file:\n\n```bash\notc-auth login idp-oidc -v 1 --logtostderr=true\n```\n\nThe more advanced logging features (like logging to both a file and stderr, emitting a stack trace at a specific line, buffering log messages and more) \nare described in the [glog documentation](https://pkg.go.dev/github.com/golang/glog#pkg-overview).\n\nNeed a stacktrace? `-v 2` and higher will also print a stacktrace when something breaks.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiits-consulting%2Fotc-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fiits-consulting%2Fotc-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiits-consulting%2Fotc-auth/lists"}