mirror of
https://github.com/coder/coder.git
synced 2026-06-03 04:58:23 +00:00
Michael Suchacz
e5707a13d6
> This PR was authored by Mux on behalf of Mike. ## Summary Adds support for multiple peer root workspace agents sharing the same `auth_instance_id`, so AWS, Azure, and GCP instance-identity auth can issue the correct session token for a selected agent instead of assuming a single root agent per instance. ## Problem When a Terraform template attaches two or more `coder_agent` resources (with `auth = "aws-instance-identity"`) to a single compute instance, every agent shares the same cloud instance ID. The existing singular lookup picks whichever agent was created most recently, silently ignoring the others. ## Solution Introduce an optional pre-auth agent selector (`CODER_AGENT_NAME`) and make the server-side lookup ambiguity-aware. **Database layer:** - `GetWorkspaceAgentsByInstanceID` (`:many`): returns all matching root agents for an instance ID. - `GetWorkspaceAgentByInstanceIDAndName` (`:one`): returns the named root agent for disambiguation. **SDK and CLI:** - `agent_name` field added to AWS, Azure, and GCP request structs (`omitempty` for backward compatibility). - `CODER_AGENT_NAME` env var and `--agent-name` flag wired into the agent bootstrap before instance-identity auth runs. **Server handler (`handleAuthInstanceID`):** - When `agent_name` is present: direct lookup by (instance ID, name). - When absent: legacy lookup, then resource-scoped ambiguity check. Returns 409 with available agent names if multiple root agents match. - Whitespace-only names are trimmed and treated as unspecified. - Sub-agents remain excluded (`parent_id IS NULL` filter). **Verification template:** - `examples/templates/aws-multi-agent/` provisions one EC2 instance with two agents (`main` and `dev`), both using instance-identity auth with `CODER_AGENT_NAME` set in the cloud-init user data. ## Backward compatibility Existing single-agent deployments work unchanged. The `agent_name` field is optional with `omitempty`, and the unnamed path preserves today's behavior when only one root agent matches.
49 lines
1.5 KiB
Plaintext
49 lines
1.5 KiB
Plaintext
coder v0.0.0-devel
|
|
|
|
USAGE:
|
|
coder external-auth access-token [flags] <provider>
|
|
|
|
Print auth for an external provider
|
|
|
|
Print an access-token for an external auth provider. The access-token will be
|
|
validated and sent to stdout with exit code 0. If a valid access-token cannot
|
|
be obtained, the URL to authenticate will be sent to stdout with exit code 1
|
|
- Ensure that the user is authenticated with GitHub before cloning.:
|
|
|
|
$ #!/usr/bin/env sh
|
|
|
|
OUTPUT=$(coder external-auth access-token github)
|
|
if [ $? -eq 0 ]; then
|
|
echo "Authenticated with GitHub"
|
|
else
|
|
echo "Please authenticate with GitHub:"
|
|
echo $OUTPUT
|
|
fi
|
|
|
|
- Obtain an extra property of an access token for additional metadata.:
|
|
|
|
$ coder external-auth access-token slack --extra "authed_user.id"
|
|
|
|
OPTIONS:
|
|
--auth string, $CODER_AGENT_AUTH (default: token)
|
|
Specify the authentication type to use for the agent.
|
|
|
|
--agent-name string, $CODER_AGENT_NAME
|
|
The name of the agent to authenticate as (only applicable for instance
|
|
identity).
|
|
|
|
--agent-token string, $CODER_AGENT_TOKEN
|
|
An agent authentication token.
|
|
|
|
--agent-token-file string, $CODER_AGENT_TOKEN_FILE
|
|
A file containing an agent authentication token.
|
|
|
|
--agent-url url, $CODER_AGENT_URL
|
|
URL for an agent to access your deployment.
|
|
|
|
--extra string
|
|
Extract a field from the "extra" properties of the OAuth token.
|
|
|
|
———
|
|
Run `coder --help` for a list of global options.
|