From db8fb5ceda34e2828391180fdf86d68ec5474797 Mon Sep 17 00:00:00 2001
From: Anders Swanson <anders.swanson@oracle.com>
Date: Tue, 31 Oct 2023 15:04:40 -0700
Subject: [PATCH] oracleobjectstorage: supports workload identity
 authentication for OKE

Signed-off-by: Anders Swanson <anders.swanson@oracle.com>
---
 backend/oracleobjectstorage/client.go  |  2 ++
 backend/oracleobjectstorage/options.go |  6 ++++++
 docs/content/oracleobjectstorage.md    | 21 +++++++++++++++++----
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/backend/oracleobjectstorage/client.go b/backend/oracleobjectstorage/client.go
index cd28ef66a..ae2e8635c 100644
--- a/backend/oracleobjectstorage/client.go
+++ b/backend/oracleobjectstorage/client.go
@@ -52,6 +52,8 @@ func getConfigurationProvider(opt *Options) (common.ConfigurationProvider, error
 	case noAuth:
 		fs.Infof("client", "using no auth provider")
 		return getNoAuthConfiguration()
+	case workloadIdentity:
+		return auth.OkeWorkloadIdentityConfigurationProvider()
 	default:
 	}
 	return common.DefaultConfigProvider(), nil
diff --git a/backend/oracleobjectstorage/options.go b/backend/oracleobjectstorage/options.go
index 3eeb6899e..3fb1e4b6c 100644
--- a/backend/oracleobjectstorage/options.go
+++ b/backend/oracleobjectstorage/options.go
@@ -26,6 +26,7 @@ const (
 	userPrincipal     = "user_principal_auth"
 	instancePrincipal = "instance_principal_auth"
 	resourcePrincipal = "resource_principal_auth"
+	workloadIdentity  = "workload_identity_auth"
 	environmentAuth   = "env_auth"
 	noAuth            = "no_auth"
 
@@ -37,6 +38,8 @@ https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdkconfig.htm`
 each instance has its own identity, and authenticates using the certificates that are read from instance metadata. 
 https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm`
 
+	workloadIdentityHelpText = `use workload identity to grant OCI Container Engine for Kubernetes workloads policy-driven access to OCI resources using OCI Identity and Access Management (IAM).
+https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm`
 	resourcePrincipalHelpText = `use resource principals to make API calls`
 
 	environmentAuthHelpText = `automatically pickup the credentials from runtime(env), first one to provide auth wins`
@@ -87,6 +90,9 @@ func newOptions() []fs.Option {
 		}, {
 			Value: instancePrincipal,
 			Help:  instancePrincipalHelpText,
+		}, {
+			Value: workloadIdentity,
+			Help:  workloadIdentityHelpText,
 		}, {
 			Value: resourcePrincipal,
 			Help:  resourcePrincipalHelpText,
diff --git a/docs/content/oracleobjectstorage.md b/docs/content/oracleobjectstorage.md
index 8ac76dc27..5e91b8099 100644
--- a/docs/content/oracleobjectstorage.md
+++ b/docs/content/oracleobjectstorage.md
@@ -59,13 +59,17 @@ Press Enter for the default (env_auth).
  2 | you’ll need to put in a config file your tenancy OCID, user OCID, region, the path, fingerprint to an API key.
    | https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdkconfig.htm
    \ (user_principal_auth)
-   / use instance principals to authorize an instance to make API calls. 
- 3 | each instance has its own identity, and authenticates using the certificates that are read from instance metadata. 
+   / use instance principals to authorize an instance to make API calls.
+ 3 | each instance has its own identity, and authenticates using the certificates that are read from instance metadata.
    | https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm
    \ (instance_principal_auth)
- 4 / use resource principals to make API calls
+   / use workload identity to grant Kubernetes pods policy-driven access to Oracle Cloud
+ 4 | Infrastructure (OCI) resources using OCI Identity and Access Management (IAM).
+   | https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm
+   \ (workload_identity_auth)
+ 5 / use resource principals to make API calls
    \ (resource_principal_auth)
- 5 / no credentials needed, this is typically for reading public buckets
+ 6 / no credentials needed, this is typically for reading public buckets
    \ (no_auth)
 provider> 2
 
@@ -151,6 +155,7 @@ Rclone supports the following OCI authentication provider.
     User Principal
     Instance Principal
     Resource Principal
+    Workload Identity
     No authentication
 
 ### User Principal
@@ -224,6 +229,14 @@ Sample rclone configuration file for Authentication Provider Resource Principal:
     region = us-ashburn-1
     provider = resource_principal_auth
 
+### Workload Identity
+Workload Identity auth may be used when running Rclone from Kubernetes pod on a Container Engine for Kubernetes (OKE) cluster.
+For more details on configuring Workload Identity, see [Granting Workloads Access to OCI Resources](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm).
+To use workload identity, ensure Rclone is started with these environment variables set in its process.
+
+    export OCI_RESOURCE_PRINCIPAL_VERSION=2.2
+    export OCI_RESOURCE_PRINCIPAL_REGION=us-ashburn-1
+
 ### No authentication
 
 Public buckets do not require any authentication mechanism to read objects.