feat(credentials): surface External ID and trust policy after add [COMP-1405]#634
Merged
Merged
Conversation
After `tw credentials add` succeeds, follow up with a GET /credentials/{id}
to enrich the success message with:
- the generated External ID (AWS role-mode credentials)
- the server-rendered provider-side setup snippet (e.g. AWS IAM trust
policy when the installation is configured with a jump role)
This brings CLI output to parity with the web UI modal, so users no
longer need a follow-up `tw credentials view` (which doesn't exist) or a
trip to the docs to assemble the trust policy by hand.
The follow-up describe is best-effort: if it fails the credential is
still created and the CLI returns the same minimal output as before.
Bump tower-java-sdk to 1.167.0 (and VERSION-API + service-info fixture
to match) to consume the new `setupSnippet` field on
DescribeCredentialsResponse.
Member
Author
|
tested locally with stage |
The indent() helper hardcoded '\n' while the surrounding format string used
%n. On Windows %n resolves to \r\n, producing a byte-level mismatch between
expected (built in JVM with %n=\r\n) and actual (native binary stdout) even
though the rendered output looked identical. Use String.format("%n") inside
indent() to match the rest of the message.
…n not needed The follow-up describeCredentials() call after a credential add was running for every provider and silently swallowing any failure. Now: - Only call describe when useExternalId is true (AWS role mode or --generate-external-id) — the only flows where the response actually carries an External ID or trust policy. Avoids an unnecessary GET on every non-AWS / non-role credential add. - On describe failure, print a yellow Warning to stderr stating that credential details could not be fetched and that the credential was created. Silent swallow gave the user no signal that enrichment failed. Updates the existing AWS role/generate-external-id tests to mock the describe call so their stderr stays empty.
stefanoboriero
approved these changes
Jun 12, 2026
alberto-miranda
approved these changes
Jun 12, 2026
CredentialsProvider.useExternalId() returned a nullable Boolean — null for most providers, true/false for AWS. Auto-unboxing at the call site triggered NPE on non-AWS adds. Switch to primitive boolean (default false) so callers can use the value directly without null guards. AwsProvider previously returned null to mean "feature off"; that now maps to false, which the createCredentials call passes through to Platform as useExternalId=false (semantically equivalent to omitting the param for the toggle).
- Drop redundant field-level javadoc on CredentialsAdded.externalId and setupSnippet; field names are self-explanatory. - Cache getProvider() and useExternalId() once at the top of AbstractAddCmd.exec() instead of recomputing on every reference. - Use Java 21 pattern matching for the AwsSecurityKeys instanceof branch.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Closes COMP-1884
Brings CLI output to parity with the web UI modal for AWS role-mode credentials. After
tw credentials add aws --mode role --generate-external-id …succeeds, the CLI now follows up withGET /credentials/{id}and prints:TOWER_AWS_JUMP_ROLE_ARN+TOWER_AWS_JUMP_EXTERNAL_ID(so users can paste it directly into their IAM role's trust relationship)The follow-up describe is best-effort: if it fails, the credential is still created and the CLI returns the same minimal output as before. Both fields are nullable — for providers/flows that don't have either, the output is unchanged.
Sample output (AWS role mode with jump role configured)
Versioning
towerJavaSdkVersion:1.150.0→1.167.0(consume the newsetupSnippetfield onDescribeCredentialsResponse).VERSION-API:1.148.0→1.167.0(matches the minimum API version where the dependent field was introduced).service-info.jsontest fixture bumped to match.conf/reflect-config.jsonregenerated via./gradlew runReflectionConfigGenerator -Dtracing-agent=trueon GraalVM CE 21 to register the new SDK model getters/setters (e.g.AwsCloudConfig.getDeletedResources) for the native binary. Without this the JVM tests passed but the binary tests failed withtried to reflectively invoke method … without it being registered for runtime reflection.Dependency chain
This PR is the third in a chain landing the
setupSnippetfeature end-to-end:setupSnippetfield toDescribeCredentialsResponseand theAwsTrustPolicyRendererthat populates it. Merged + deployed.update-1.167.0— regenerates the SDK from the updated OpenAPI spec. Published as tower-java-sdk 1.167.0.Guidelines for testing
./gradlew installDist) or use the published artifact once available.TOWER_AWS_JUMP_ROLE_ARNandTOWER_AWS_JUMP_EXTERNAL_ID(e.g. local dev with those env vars set).tw credentials add google …): neither line appears.Checklist
(No new env vars introduced —
TOWER_AWS_JUMP_ROLE_ARN/TOWER_AWS_JUMP_EXTERNAL_IDare already documented platform-side from COMP-1426.)