[HTCondor-users] Passing IDToken to user job for identification to storage resource

[Benoit Roland <benoit.roland@xxxxxxx>]

    Dear all,
    
    our jobs need to store their output on an storage resource (no
    shared file system) which requires IDToken authentication.
    
    The IDToken is retrieved from the provider by the user on the
    command line before the job submission.
    
    I read about different options to manage credentials, but I am not
    exactly sure about which one is more appropriate for our use case.
    
    The flow is as follows:
    
    1. Before submission, the token is generated on the command line:
    oidc-token -f punch-aai
      >> idtoken.text
    Â
    2. We would like to store this token in a secured place defined in
    the HTCondor configuration to make it accessible to the job
    submitted by the user.
    ÂÂÂ So far, for test purpose, the token is part of the "transfer_input_files"
    in the submit description file.
    
    3. The transfer of the job output to the storage resource is so far
    hardcoded in a python script (included as well in the jdl "transfer_input_files")
    doing essentially:
    
    Â "curl -L -X PUT -H \"Authorization:
          Bearer " + str(TOKEN) + "\"" + " --upload-file " + INPUTFILE + " " + STORAGE_RESOURCE
      
    4. Not yet implemented is the refreshment or renewal of the IDToken
    which is limited to a one hour lifetime.
    
    We would like to ask you which approach/option would be more suited
    to our use case?
    
    Thanks a lot in advance for your answer and advice!
    
    Cheers,
    Benoit