[FEATURE] Authentication for CI/CD

[lechnerc77]

The currently supported authentication mechanisms are username/password and with release 0.4.0-beta1 a token based authentication that can only be used SAP-internally.

The provider and the underlying BTP CLI Server still lack the support of an authentication flow that enables CI/CD scenarios.

This ticket s a follow-up to #8, to keep this necessary enhancement of the provider authentications flow in the backlog

[lechnerc77]

Update:

• The proposal based on the blog post https://blogs.sap.com/2022/12/09/automation-with-the-btp-command-line-interface-logging-in-with-passcodes/ does offer an option but has no advantages with respect to username/password flow.
• Preferred option would be to support the pkce flow as state-of-the-art authentication flow
• Internal clarification started

[lechnerc77]

Status Quo: SAP IdP has functional limitations/gaps when it comes to the default setup on SAP BTP. This blocks the comprehensive enablement of Authentication flows.

The topic is in process by the corresponding team, but no ETA is available

[lechnerc77]

Re-Check after Q2/2024

[se-wo]

@lechnerc77 any update on this?

[lechnerc77]

@se-wo there is currently no activity in supporting furthr authentication flows besides the ones currently supported and documented at https://registry.terraform.io/providers/SAP/btp/latest/docs
Up to now no customer requests have rechaed us that would need further flows.

[se-wo]

@lechnerc77 How are other customers solving this? Creating S-Users or P-Users for deployment pipelines feels painful to me. No proper governance and you need unique emails for all of them. Most of the time this will result in very few if not only a single user for deployments. No password policy. Not to talk about personal user that are used for CD and break as soon as somebody leaves.
Besides we try to use our own IAM everywhere.
On the other hand IAS is also not nice. At least I can create the users more easily. But those are only normal users. No (semi-)automatic password rotation. Login with a certificate requires manual login and you need to enable it for a at least one type of users first.
Cloud Management Service seems to be much better in that regard with service bindings supporting even mTLS. But you miss out on all the Terraform stuff.

[lechnerc77]

@se-wo You named the two patterns that we saw at customers:

• Dedicated user in standard IdP
• Dedicated user in custom idP

You are right with the challenges that come along with these approaches.

Comparing the Cloud Management Service (service on subaccount level) with the Terraform provider (and the underlying BTP CLI server) is imho comparing apples with oranges, but I get your point.