provider: added workload identity federation auth support

mcoulombe · mcoulombe · commit 8bd56ba8051b · 2025-10-15T15:23:57.000-04:00
Updates #485 Signed-off-by: mcoulombe <max@tailscale.com>
diff --git a/docs/index.md b/docs/index.md
@@ -34,8 +34,9 @@ provider "tailscale" {
 
 - `api_key` (String, Sensitive) The API key to use for authenticating requests to the API. Can be set via the TAILSCALE_API_KEY environment variable. Conflicts with 'oauth_client_id' and 'oauth_client_secret'.
 - `base_url` (String) The base URL of the Tailscale API. Defaults to https://api.tailscale.com. Can be set via the TAILSCALE_BASE_URL environment variable.
-- `oauth_client_id` (String) The OAuth application's ID when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_ID environment variable. Both 'oauth_client_id' and 'oauth_client_secret' must be set. Conflicts with 'api_key'.
-- `oauth_client_secret` (String, Sensitive) The OAuth application's secret when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_SECRET environment variable. Both 'oauth_client_id' and 'oauth_client_secret' must be set. Conflicts with 'api_key'.
-- `scopes` (List of String) The OAuth 2.0 scopes to request when for the access token generated using the supplied OAuth client credentials. See https://tailscale.com/kb/1215/oauth-clients/#scopes for available scopes. Only valid when both 'oauth_client_id' and 'oauth_client_secret' are set.
+- `identity_token` (String, Sensitive) The jwt identity token to exchange for a Tailscale API token when using a federated identity client. Can be set via the IDENTITY_TOKEN environment variable. Conflicts with 'api_key' and 'oauth_client_secret'.
+- `oauth_client_id` (String) The OAuth application's ID when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_ID environment variable. Either 'oauth_client_secret' or 'identity_token' must be set alongside 'oauth_client_id'. Conflicts with 'api_key'.
+- `oauth_client_secret` (String, Sensitive) The OAuth application's secret when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_SECRET environment variable. Conflicts with 'api_key' and 'identity_token'.
+- `scopes` (List of String) The OAuth 2.0 scopes to request for when generating the access token using the supplied OAuth client credentials. See https://tailscale.com/kb/1215/oauth-clients/#scopes for available scopes. Only valid when both 'oauth_client_id' and 'oauth_client_secret' are set.
 - `tailnet` (String) The organization name of the Tailnet in which to perform actions. Can be set via the TAILSCALE_TAILNET environment variable. Default is the tailnet that owns API credentials passed to the provider.
 - `user_agent` (String) User-Agent header for API requests.
diff --git a/go.mod b/go.mod
@@ -12,7 +12,7 @@ require (
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
 	golang.org/x/tools v0.37.0
 	tailscale.com v1.88.3
-	tailscale.com/client/tailscale/v2 v2.2.0
+	tailscale.com/client/tailscale/v2 v2.2.1-0.20251015185717-65a1d0d0deaa // TODO(maxc) use the proper version once published
 )
 
 require github.com/pkg/errors v0.9.1
@@ -83,7 +83,7 @@ require (
 	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac // indirect
 	golang.org/x/mod v0.28.0 // indirect
 	golang.org/x/net v0.44.0 // indirect
-	golang.org/x/oauth2 v0.31.0 // indirect
+	golang.org/x/oauth2 v0.32.0 // indirect
 	golang.org/x/sync v0.17.0 // indirect
 	golang.org/x/sys v0.36.0 // indirect
 	golang.org/x/telemetry v0.0.0-20250908211612-aef8a434d053 // indirect
diff --git a/go.sum b/go.sum
@@ -252,6 +252,8 @@ golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=
 golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
 golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo=
 golang.org/x/oauth2 v0.31.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
+golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -319,3 +321,5 @@ tailscale.com v1.88.3 h1:OiE6iVqzykhbITxmIKjH8d00cw0LsJFO3TuFd4jQVXU=
 tailscale.com v1.88.3/go.mod h1:LHaTiwRgzebPDLgZ6RQQVzX+1SR5fbNl51fzm7UtMaw=
 tailscale.com/client/tailscale/v2 v2.2.0 h1:z0MRwojnNcuRcYFumtpymrPH97slBI/zxq0nY/RYcJQ=
 tailscale.com/client/tailscale/v2 v2.2.0/go.mod h1:RkAl+CyJiu437uUelFWW/2wL+EgZ6Vd15S1f+IitGr4=
+tailscale.com/client/tailscale/v2 v2.2.1-0.20251015185717-65a1d0d0deaa h1:/0Z4BfsHMXaauoZuYoNzsjZGRhl0MUpL31j45CWpFWw=
+tailscale.com/client/tailscale/v2 v2.2.1-0.20251015185717-65a1d0d0deaa/go.mod h1:FuUEY9GaimRaE7cPSzkRfUQmvbdVs9C+vLHmun8+1qQ=
diff --git a/tailscale/provider.go b/tailscale/provider.go
@@ -42,24 +42,31 @@ func Provider(options ...ProviderOption) *schema.Provider {
 				Description: "The API key to use for authenticating requests to the API. Can be set via the TAILSCALE_API_KEY environment variable. Conflicts with 'oauth_client_id' and 'oauth_client_secret'.",
 				Sensitive:   true,
 			},
+			"identity_token": {
+				Type:        schema.TypeString,
+				DefaultFunc: schema.EnvDefaultFunc("IDENTITY_TOKEN", ""),
+				Optional:    true,
+				Description: "The jwt identity token to exchange for a Tailscale API token when using a federated identity client. Can be set via the IDENTITY_TOKEN environment variable. Conflicts with 'api_key' and 'oauth_client_secret'.",
+				Sensitive:   true,
+			},
 			"oauth_client_id": {
 				Type:        schema.TypeString,
 				DefaultFunc: schema.MultiEnvDefaultFunc(oauthClientIDEnvVars, ""),
 				Optional:    true,
-				Description: "The OAuth application's ID when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_ID environment variable. Both 'oauth_client_id' and 'oauth_client_secret' must be set. Conflicts with 'api_key'.",
+				Description: "The OAuth application's ID when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_ID environment variable. Either 'oauth_client_secret' or 'identity_token' must be set alongside 'oauth_client_id'. Conflicts with 'api_key'.",
 			},
 			"oauth_client_secret": {
 				Type:        schema.TypeString,
 				DefaultFunc: schema.MultiEnvDefaultFunc(oauthClientSecretEnvVars, ""),
 				Optional:    true,
-				Description: "The OAuth application's secret when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_SECRET environment variable. Both 'oauth_client_id' and 'oauth_client_secret' must be set. Conflicts with 'api_key'.",
+				Description: "The OAuth application's secret when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_SECRET environment variable. Conflicts with 'api_key' and 'identity_token'.",
 				Sensitive:   true,
 			},
 			"scopes": {
 				Type:        schema.TypeList,
 				Optional:    true,
 				Elem:        &schema.Schema{Type: schema.TypeString},
-				Description: "The OAuth 2.0 scopes to request when for the access token generated using the supplied OAuth client credentials. See https://tailscale.com/kb/1215/oauth-clients/#scopes for available scopes. Only valid when both 'oauth_client_id' and 'oauth_client_secret' are set.",
+				Description: "The OAuth 2.0 scopes to request for when generating the access token using the supplied OAuth client credentials. See https://tailscale.com/kb/1215/oauth-clients/#scopes for available scopes. Only valid when both 'oauth_client_id' and 'oauth_client_secret' are set.",
 			},
 			"tailnet": {
 				Type:        schema.TypeString,
@@ -135,15 +142,10 @@ func providerConfigure(_ context.Context, provider *schema.Provider, d *schema.R
 	apiKey := d.Get("api_key").(string)
 	oauthClientID := d.Get("oauth_client_id").(string)
 	oauthClientSecret := d.Get("oauth_client_secret").(string)
+	idToken := d.Get("identity_token").(string)
 
-	if apiKey == "" && oauthClientID == "" && oauthClientSecret == "" {
-		return nil, diag.Errorf("tailscale provider credentials are empty - set `api_key` or 'oauth_client_id' and 'oauth_client_secret'")
-	} else if apiKey != "" && (oauthClientID != "" || oauthClientSecret != "") {
-		return nil, diag.Errorf("tailscale provider credentials are conflicting - `api_key` conflicts with 'oauth_client_id' and 'oauth_client_secret'")
-	} else if apiKey == "" && oauthClientID == "" && oauthClientSecret != "" {
-		return nil, diag.Errorf("tailscale provider argument 'oauth_client_id' is empty")
-	} else if apiKey == "" && oauthClientID != "" && oauthClientSecret == "" {
-		return nil, diag.Errorf("tailscale provider argument 'oauth_client_secret' is empty")
+	if diags := validateProviderCreds(apiKey, oauthClientID, oauthClientSecret, idToken); diags != nil && diags.HasError() {
+		return nil, diags
 	}
 
 	userAgent := d.Get("user_agent").(string)
@@ -176,6 +178,17 @@ func providerConfigure(_ context.Context, provider *schema.Provider, d *schema.R
 		return client, nil
 	}
 
+	if oauthClientID != "" && idToken != "" {
+		apiKey, err = tailscale.IdentityFederationConfig{
+			ClientID: oauthClientID,
+			IDToken:  idToken,
+			BaseURL:  baseURL,
+		}.GenerateAccessToken()
+		if err != nil {
+			return nil, diag.Errorf("failed to exchange identity token for API token: %s", err)
+		}
+	}
+
 	client := &tailscale.Client{
 		BaseURL:   parsedBaseURL,
 		UserAgent: userAgent,
@@ -186,6 +199,20 @@ func providerConfigure(_ context.Context, provider *schema.Provider, d *schema.R
 	return client, nil
 }
 
+func validateProviderCreds(apiKey string, oauthClientID string, oauthClientSecret string, idToken string) diag.Diagnostics {
+	if apiKey == "" && oauthClientID == "" && oauthClientSecret == "" && idToken == "" {
+		return diag.Errorf("tailscale provider credentials are empty - set `api_key` or 'oauth_client_id' and either 'oauth_client_secret' or 'identity_token'")
+	} else if apiKey != "" && (oauthClientID != "" || oauthClientSecret != "" || idToken != "") {
+		return diag.Errorf("tailscale provider credentials are conflicting - `api_key` conflicts with 'oauth_client_id', 'oauth_client_secret' and 'identity_token'")
+	} else if apiKey == "" && oauthClientID == "" {
+		return diag.Errorf("tailscale provider argument 'oauth_client_id' is empty")
+	} else if oauthClientID != "" && (oauthClientSecret == "" && idToken == "") {
+		return diag.Errorf("one of tailscale provider arguments 'oauth_client_secret' or 'identity_token' are mandatory with 'oauth_client_id'")
+	}
+
+	return nil
+}
+
 func diagnosticsError(err error, message string, args ...interface{}) diag.Diagnostics {
 	var detail string
 	if err != nil {
diff --git a/tailscale/provider_test.go b/tailscale/provider_test.go
@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"strings"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
@@ -203,3 +204,103 @@ func assertEqual(want, got any, errorMessage string) error {
 	}
 	return nil
 }
+
+func TestValidateProviderCreds(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name          string
+		apiKey        string
+		oauthClientID string
+		oauthSecret   string
+		idToken       string
+		wantErr       string
+	}{
+		{
+			name:    "valid api_key only",
+			apiKey:  "test-api-key",
+			wantErr: "",
+		},
+		{
+			name:          "valid oauth with client secret",
+			oauthClientID: "client-id",
+			oauthSecret:   "client-secret",
+			wantErr:       "",
+		},
+		{
+			name:          "valid oauth with identity token",
+			oauthClientID: "client-id",
+			idToken:       "id-token",
+			wantErr:       "",
+		},
+		{
+			name:    "all credentials empty",
+			wantErr: "credentials are empty",
+		},
+		{
+			name:          "api_key conflicts with oauth_client_id",
+			apiKey:        "test-api-key",
+			oauthClientID: "client-id",
+			wantErr:       "credentials are conflicting",
+		},
+		{
+			name:        "api_key conflicts with oauth_client_secret",
+			apiKey:      "test-api-key",
+			oauthSecret: "client-secret",
+			wantErr:     "credentials are conflicting",
+		},
+		{
+			name:    "api_key conflicts with identity_token",
+			apiKey:  "test-api-key",
+			idToken: "id-token",
+			wantErr: "credentials are conflicting",
+		},
+		{
+			name:        "oauth_client_id missing with only oauth_client_secret",
+			oauthSecret: "client-secret",
+			wantErr:     "oauth_client_id' is empty",
+		},
+		{
+			name:    "oauth_client_id missing with only identity_token",
+			idToken: "id-token",
+			wantErr: "oauth_client_id' is empty",
+		},
+		{
+			name:          "oauth_client_id without secret or token",
+			oauthClientID: "client-id",
+			wantErr:       "oauth_client_secret' or 'identity_token' are mandatory",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			diags := validateProviderCreds(tt.apiKey, tt.oauthClientID, tt.oauthSecret, tt.idToken)
+
+			if tt.wantErr == "" && diags.HasError() {
+				t.Errorf("unexpected error: %v", diags)
+
+			}
+
+			if tt.wantErr != "" && !diags.HasError() {
+				t.Errorf("expected error containing %q but got none", tt.wantErr)
+				return
+			}
+
+			if tt.wantErr != "" {
+				match := false
+				for _, d := range diags {
+					if d.Severity == diag.Error {
+						errMsg := d.Summary + d.Detail
+						if strings.Contains(errMsg, tt.wantErr) {
+							match = true
+							break
+						}
+					}
+				}
+				if !match {
+					t.Errorf("expected error containing %q but got: %v", tt.wantErr, diags)
+				}
+			}
+		})
+	}
+}
