How to authenticate with aio for Oauth server-to-server credential (without browser authentication) like old/depreicated Service account(JWT) ?

[sanith01988]

Is your feature request related to a problem? Please describe.
Earlier with JWT by running the following command we're able to communicate with cloud-manager without browser authentication.

aio config:set jwt-auth jwt.json --file --json
aio config:set jwt-auth.jwt_private_key private.key --file
aio config:set cloudmanager_programid
aio config:set ims.contexts.aio-cli-plugin-cloudmanager.private_key private.key --file
aio cloudmanager:program:list-pipelines

Now as per adobe, JWT feature is deprecated and we need to use Oauth server-to-server credential instead.

Describe the solution you'd like
I'm suing this aio in one environment where browser based authentication is not possible. In this case how can I run the aio without browser authentication like deprecated JWT mention above ?

[chrfis]

This feature request has already been raised by @kwin
#671

[sanith01988]

v6.4.0 already released https://www.npmjs.com/package/@adobe/aio-lib-ims/v/6.4.0

[mabroor]

The docs have a lot of inconsistencies between all the different repos. Does anyone have a working example of this?

[lszajek]

I found temporary solution which works for me:

1. Install latest aio-cli-plugin-auth (3.2.1)
2. Add to global ~/.config/aio file (take credentials from developer console):

{
  aio-cli-telemetry: {
    optOut: true,
    clientId: COPY_YOUR_CLIENT_ID_HERE
  },
  cloudmanager_programid: "COPY_YOUR_PROGRAMID_HERE",
  ims: {
    contexts: {
      aio-cli-plugin-cloudmanager: {
        ims_org_id: "COPY_YOUR_IMS_ORG_ID_HERE",
        client_id: "COPY_YOUR_CLIENT_ID_HERE",
        client_secrets: [
          "COPY_YOUR_SECRET_HERE"
        ],
        technical_account_id: "COPY_YOUR_ACCOUNT_ID_HERE",
        technical_account_email: "COPY_YOUR_ACCOUNT_EMAIL_HERE",
        scopes: [
          "COPY_YOUR_SCOPES_HERE"
        ],
      }
    },
    config: {
      current: "aio-cli-plugin-cloudmanager"
    }
  }
}

3. Run aio auth login (access_token will be added to ~/.config/aio file)
4. Verify cloud manager plugin's command: aio cloudmanager:list-programs

[sanith01988]

@lszajek,
I tried this. But when I'm trying to call aio auth login its again redirecting to browser for authentication.

[lszajek]

Did you check the version of aio-cli-plugin-cloudmanager plugin? It seems that v4.1.0 has fixed that. And make sure that you have OAuth Server-to-Server credentials set at developer console.

[lszajek]

Also check the version of aio-cli, it is working for me with v9.3.0

[thedevopsguyblog]

This worked for me (i used a config.json file instead of a .yaml file), thanks @lszajek.
Can this be documented here: https://developer.adobe.com/developer-console/docs/guides/authentication/

I created my config file by searching my projects credentials in cloud manager - is there an eaiser way to get this information?

[thedevopsguyblog]

This worked for me (i used a config.json file instead of a .yaml file), thanks @lszajek. Can this be documented here: https://developer.adobe.com/developer-console/docs/guides/authentication/

I created my config file by searching my projects credentials in cloud manager - is there an eaiser way to get this information?

looks like executing this aio auth login is not needed, as i'm able to execute aio cloudmanager:pipeline:create-execution xxxx --emergency succesfully without running "auth login"

[edukondaluavula]

I am having same issue in aio-cli v9.3.0

command: aio auth login -v -c=pipeline

json file:

{
"ims": {
"config": {
"current": "pipeline"
},
"contexts": {
"pipeline": {
"client_id": "XXXXXXXXXXX",
"client_secrets": ["XXXXXXXXXXXXXX"],
"ims_org_id": "XXXXXXXXXX@AdobeOrg",
"technical_account_id": "XXXXXXXXXX@techacct.adobe.com",
"technical_account_email": "XXXXXXXXXXXX@techacct.adobe.com",
"scopes": ["AdobeID openid read_organizations additional_info.projectedProductContext additional_info.roles adobeio_api read_client_secret manage_client_secrets"],
"state": ""
}
}
}
}

Please suggest me to address this issue ?

I too, have an issue using OAuth2 with the cloudmanager plugin.

These are my versions:

$ aio plugins
@adobe/aio-cli-plugin-aem-rde 1.1.0
@adobe/aio-cli-plugin-cloudmanager 4.1.0
$ aio --version
@adobe/aio-cli/9.4.1 wsl-x64 node-v16.20.2

And I have this set up ~/.config/aio (thank you @lszajek. )

 ims: {
    contexts: {
      aio-cli-plugin-cloudmanager: {
        ims_org_id: "XXX",
        grant_type: "client_credentials",
        client_id: "XXX",
        client_secrets: [
          "XXX"
        ],
        technical_account_id: "XXX",
        technical_account_email: "XXX",
        scopes: [
          "openid",
          "AdobeID",
          "read_organizations",
          "additional_info.projectedProductContext",
          "read_pc.dma_aem_ams"
        ],
      }
    },
    config: {
      current: "aio-cli-plugin-cloudmanager"
    }
  }

Login works perfectly. When I do aio auth:login I get a key returned and added to my configuration. However, cloudmanager still seems to be looking for parameters related to JWT.

$ aio cloudmanager:list-programs
 ›   Error: [CloudManagerCLI:IMS_CONTEXT_MISSING_FIELDS] One or more of the required fields in
 ›   ims.contexts.aio-cli-plugin-cloudmanager were not set. Missing keys were client_secret, meta_scopes,
 ›   private_key.
 ›   Code: IMS_CONTEXT_MISSING_FIELDS

[lszajek]

@mstuart2-dxc I also had such a problem after upgrading aio-cli-plugin-cloudmanager to 4.1.0 and temporary resolved it by disabling prerun hook in package.json. Just rename "prerun": "./src/hooks/prerun/prerun-all.js" to "__prerun": "./src/hooks/prerun/prerun-all.js" in aio-cli-plugin-cloudmanager package.json file. I have this file here: ~/.local/share/@adobe/aio-cli/node_modules/@adobe/aio-cli-plugin-cloudmanager/package.json

@Iszajek Brilliant! Works like a charm. Thank you very much.