Preface

Before finding the source of some issues with Terraform on OVH, a possible source of the dysfunction was thought to be with expired tokens. As such a couple of cross-platform token generation scripts using the Python bindings for the OVH API were tried.

The scripts described on this page are available in a Git repo @ https://github.com/wildtechgarden/ivc-in-the-wtg-experiments

OVH API Token Issues?

The first steps were taken following the OVH Python library README, and consisted of scripts to generate a token to access the /me OVH API entrypoint and listing existing tokens.

Prerequisites

Of course the first step was to create an ‘Application Key’ and ‘Application Secret’, as outlined in that README as well as ‘First Steps with OVH API’.

Then it was necessary to create an ovh.conf file, which was kept in the same directory as the scripts:

ovh.conf

[default]
; general configuration: default endpoint
endpoint=ovh-ca

[ovh-ca]
; configuration specific to 'ovh-ca' endpoint
application_key=XXXXXXXXXXXXXXXX
application_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
; uncomment following line when writing a script application
; with a single consumer key.
;consumer_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Getting a Targetted Consumer Key for the OVH API

The script below was used to get a limited ‘consumer key’ for the OVH API (it only had access to the /me subtree of the OVH API).

get-me-consumer-key.py

# -*- encoding: utf-8 -*-

import ovh

# create a client using configuration
client = ovh.Client()

# Request RO, /me API access
ck = client.new_consumer_key_request()
ck.add_rules(ovh.API_READ_ONLY, "/me/*")
ck.add_rules(ovh.API_READ_ONLY, "/me")

# Request token
validation = ck.request()

print("Please visit %s to authenticate" % validation['validationUrl'])
input("and press Enter to continue...")

# Print nice welcome message
print("Welcome", client.get('/me')['firstname'])
print("Btw, your 'consumerKey' is '%s'" % validation['consumerKey'])

Managing Authorized Credentials

Then the Python script to list applications authorized to access your account from the OVH API Python Bindings Github Repo was used, after adding the consumer key generated using the get-me-consumer-key.py script to the ovh.conf and installing the prerequisite module (tabulate) via pip.

It was noticed a large number of expired but still present tokens existed so the following script was created to revoke all authorizations. It worked quite well.

revoke-ovh-application-credentials.py

# -*- encoding: utf-8 -*-

import ovh

# create a client
client = ovh.Client()

credentials = client.get('/me/api/credential', status='validated')
for credential_id in credentials:
  client.delete('/me/api/credential/'+str(credential_id))

Generating Credentials for Managing DNS and Reverse DNS

Finally a consumer key was generated to allow managing DNS (domain) and reverse DNS (ip) records.

get-domain-ip-consumer-key.py

# -*- encoding: utf-8 -*-

import ovh

# create a client using configuration
client = ovh.Client()

ck = client.new_consumer_key_request()
ck.add_recursive_rules(ovh.API_READ_WRITE, "/domain")
ck.add_recursive_rules(ovh.API_READ_WRITE, "/ip")

# Request token
validation = ck.request()

print("Please visit %s to authenticate" % validation['validationUrl'])
input("and press Enter to continue...")

# Print nice welcome message
print("Btw, your 'consumerKey' is '%s'" % validation['consumerKey'])

That Was Not the Problem

While what was learned from this exercise may be useful in the future, it didn’t resolve the issues with Terraform, which had nothing to do with tokens.