Skip to content

fix: make machine account credentials files portable across environments#145

Merged
scotwells merged 2 commits intomainfrom
fix/144-machine-account-minimal-fields
Apr 10, 2026
Merged

fix: make machine account credentials files portable across environments#145
scotwells merged 2 commits intomainfrom
fix/144-machine-account-minimal-fields

Conversation

@scotwells
Copy link
Copy Markdown
Contributor

@scotwells scotwells commented Apr 10, 2026

Summary

Machine account credentials files no longer need to carry environment-specific configuration. datumctl now discovers the auth endpoint from --hostname — the same way interactive login already works — so the same credentials file can be used against dev, staging, and production by simply pointing datumctl at a different hostname.

What changed for users

Before this fix, a credentials file had to contain api_endpoint, token_uri, scope, and project_id or login would fail with:

error: credentials file is missing required fields: [token_uri client_email ...]

After this fix, a minimal credentials file only needs:

  • type (must be datum_machine_account)
  • client_id
  • private_key_id
  • private_key

client_email is optional and only used for display. Older credentials files that still include the extra fields continue to work unchanged.

One thing to know when migrating

If you were previously logging in against a non-default environment using just --credentials old-file.json (and relying on the file's token_uri to pick the environment), you will now need to pass --hostname explicitly:

datumctl auth login --credentials ./my-key.json --hostname auth.staging.env.datum.net

The login examples in datumctl auth login --help have been updated to show this.

Fixes #144

Test plan

  • Log in with a minimal credentials file (only type, client_id, private_key_id, private_key) against the default hostname
  • Log in with a minimal credentials file plus an explicit --hostname pointing at a non-default environment
  • Log in with a legacy credentials file that still has all the old fields and confirm it still works
  • Confirm an authenticated session can refresh its token after the initial login without re-reading the credentials file
  • Confirm a missing required field (e.g. no `private_key`) still produces a clear error

🤖 Generated with Claude Code

scotwells and others added 2 commits April 10, 2026 15:42
@scotwells @claude
fix(auth): discover OIDC endpoints for machine account login
302bef3 
Drop api_endpoint, token_uri, scope, and project_id from the required
set in machine account credentials files. Discover the token endpoint
from the OIDC provider's well-known config using --hostname, matching
the interactive login flow. Credentials files are now portable across
environments.

Fixes #144

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@scotwells @claude
fix(auth): polish error messages and add machine-account example
f18cf5a 
Address review feedback:
- Join missing-fields error with commas instead of Go's default slice formatting
- Add a hint to the OIDC discovery error pointing at --hostname
- Clarify the default scope comment about backward compatibility
- Add a login example showing --credentials with --hostname

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@scotwells scotwells requested a review from kevwilliams April 10, 2026 20:52
@scotwells scotwells merged commit d4ab844 into main Apr 10, 2026
2 checks passed
@scotwells scotwells deleted the fix/144-machine-account-minimal-fields branch April 10, 2026 20:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevwilliams kevwilliams kevwilliams approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Machine account credentials file requires environment and context fields that should be discovered

2 participants

@scotwells @kevwilliams