Simplified token management in FedCloud client by using Mytoken
It is little late but I would like to announce the support of Mytoken service for simplifying token management in FedCloud client that was added to versions 1.3.x.
In short, users can:
* Go to Mytoken server at https://mytoken.data.kit.edu/ and create a mytoken,
* Set FEDCLOUD_MYTOKEN environment variable to the newly create mytoken,
* Use FedCloud client as normally and don’t have to care about token expiration.
Using Mytoken service greatly simplifies the token management and increases security of FedCloud client. No additional installation (of oidc-agent) is needed, users can set many restrictions for mytokens (expiration time, IP range, countries) to improve security.
As a part of supporting Mytoken, there are some related changes:
* A new command “fedcloud token issue
” was added for issuing access token (from Mytoken service or oidc-agent) for external tools/services (e.g. Terraform, rclone, …). That will remove the need of installing Mytoken client on VM.
* Support for refresh tokens is deprecated in the favor of Mytoken. Using refresh tokens in Cloud environment was considered as insecure and and its deprecation was warned for a long time.
Merry Christmas and Happy New Year.