OkeWorkloadIdentityConfigurationProvider looking for OCI_RESOURCE_PRINCIPAL_VERSION environment

[connelly38]

When trying to use OKE Workload configuration provider inside an OKE cluster, I get this error:

can not create resource principal, environment variable: OCI_RESOURCE_PRINCIPAL_VERSION, not present

This is due to the code in common/auth/resource_principal_key_provider.go, line 100-ish:

if version, ok = os.LookupEnv(ResourcePrincipalVersionEnvVar); !ok { err := fmt.Errorf("can not create resource principal, environment variable: %s, not present", ResourcePrincipalVersionEnvVar) return nil, resourcePrincipalError{err: err} }

Neither the java nor the python SDKs look for this envrionment setting. Why does the go driver? I don't see any way this will work, short of me setting that environment variable manually to something like "2.2"?

I've followed all the docs to get the OKE cluster set up and the docs for go located at https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm#contengmanagingworkloads_topic-grantingworkloadaccesstoresources-golang ... but I still get this error.

I'm using oci-go-sdk as:
require github.com/oracle/oci-go-sdk/v65 v65.61.2

[JoshuaWR]

Hi @connelly38, It seems like you do need to set that environment variable (OCI_RESOURCE_PRINCIPAL_VERSION), and you should be able to set it to what you mentioned, i.e. 2.2 . From the Python SDK, we can see on this line that it also requires this environment variable to be present for Resource Principals, and will throw an error if it is not. For your use case, are you able to set this environment variable?

[connelly38]

Here's the simple example go code I'm using to test:

package main

import (
	"fmt"
	"time"

	ociauth "github.com/oracle/oci-go-sdk/v65/common/auth"
)

func main() {
	_, err := ociauth.OkeWorkloadIdentityConfigurationProvider()
	if err != nil {
		fmt.Printf("cannot create OKE provider: %v\n", err)
		return
	}
	time.Sleep(300 * time.Second)
}

When running in an OKE cluster, I get the error shown in the main bug report.

Update: with the help of Joshua Ramirez, I'm able to got further by setting the two following environments in my Dockerfile:

ENV OCI_RESOURCE_PRINCIPAL_VERSION 2.2
ENV OCI_RESOURCE_PRINCIPAL_REGION us-ashburn-1

... but why would those even be needed? This is for OKW workoad auth, not resource principal. And this isn't a solution - especially since I'd need to set the region in the dockerfile.

If those two environment variables are required, why aren't they set in the OKE Workload container environment?

[stsully]

Same issue and same questions!
Are these values available in instance metadata?