Tokens for OVH v1
What is in this article
Before finding the source of the issues with Terraform on OVH, a possible source of the dysfunction was thought to be with expired tokens. As such a couple of cross-platform token generation scripts using the Python bindings for the OVH API were tried.
The scripts described on this page are available in a Git repo @ https://github.com/danielfdickinson/ivc-in-the-wtg-experiments
OVH API Token Issues?
The first steps were taken following the OVH Python library README, and consisted of scripts to generate a token to access the
/me OVH API entrypoint and listing existing tokens.
Of course the first step was to create an ‘Application Key’ and ‘Application Secret’, as outlined in that README as well as ‘First Steps with OVH API’.
Then it was necessary to create an
ovh.conf file, which was kept in the same directory as the scripts:
[default] ; general configuration: default endpoint endpoint=ovh-ca [ovh-ca] ; configuration specific to 'ovh-ca' endpoint application_key=XXXXXXXXXXXXXXXX application_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ; uncomment following line when writing a script application ; with a single consumer key. ;consumer_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Getting a Targetted Consumer Key for the OVH API
The script below was used to get a limited ‘consumer key’ for the OVH API (it only had access to the /me subtree of the OVH API).
# -*- encoding: utf-8 -*- import ovh # create a client using configuration client = ovh.Client() # Request RO, /me API access ck = client.new_consumer_key_request() ck.add_rules(ovh.API_READ_ONLY, "/me/*") ck.add_rules(ovh.API_READ_ONLY, "/me") # Request token validation = ck.request() print("Please visit %s to authenticate" % validation['validationUrl']) input("and press Enter to continue...") # Print nice welcome message print("Welcome", client.get('/me')['firstname']) print("Btw, your 'consumerKey' is '%s'" % validation['consumerKey'])
Managing Authorized Credentials
Then the Python script to list applications authorized to access your account from the OVH API Python Bindings Github Repo was used, after adding the consumer key generated using the
get-me-consumer-key.py script to the
ovh.conf and installing the prerequisite module (
It was noticed a large number of expired but still present tokens existed so the following script was created to revoke all authorizations. It worked quite well.
# -*- encoding: utf-8 -*- import ovh # create a client client = ovh.Client() credentials = client.get('/me/api/credential', status='validated') for credential_id in credentials: client.delete('/me/api/credential/'+str(credential_id))
Generating Credentials for Managing DNS and Reverse DNS
Finally a consumer key was generated to allow managing DNS (domain) and reverse DNS (ip) records.
# -*- encoding: utf-8 -*- import ovh # create a client using configuration client = ovh.Client() ck = client.new_consumer_key_request() ck.add_recursive_rules(ovh.API_READ_WRITE, "/domain") ck.add_recursive_rules(ovh.API_READ_WRITE, "/ip") # Request token validation = ck.request() print("Please visit %s to authenticate" % validation['validationUrl']) input("and press Enter to continue...") # Print nice welcome message print("Btw, your 'consumerKey' is '%s'" % validation['consumerKey'])
That Was Not the Problem
While what was learned from this exercise may be useful in the future, it didn’t resolve the issues with Terraform, which had nothing to do with tokens.