fix for workload pricipal bucket access

gotsysdba · gotsysdba · commit f20febc51596 · 2025-10-02T12:56:48.000+01:00
diff --git a/src/client/content/tools/tabs/split_embed.py b/src/client/content/tools/tabs/split_embed.py
@@ -134,11 +134,7 @@ def display_split_embed() -> None:
     file_sources = ["OCI", "Local", "Web"]
     oci_lookup = st_common.state_configs_lookup("oci_configs", "auth_profile")
     oci_setup = oci_lookup.get(state.client_settings["oci"].get("auth_profile"))
-    if (
-        not oci_setup
-        or oci_setup.get("namespace") is None
-        or (oci_setup.get("tenancy") is None and oci_setup.get("authentication") != "oke_workload_identity")
-    ):
+    if not oci_setup or oci_setup.get("namespace") is None or oci_setup.get("tenancy") is None:
         st.warning("OCI is not fully configured, some functionality is disabled", icon="⚠️")
         file_sources.remove("OCI")
 
diff --git a/src/server/api/utils/oci.py b/src/server/api/utils/oci.py
@@ -5,6 +5,8 @@
 # spell-checker:ignore genai ocids ocid
 
 import os
+import base64
+import json
 from typing import Union
 import urllib3.exceptions
 
@@ -75,6 +77,13 @@ def init_client(
             logger.info("OCI Authentication with Workload Identity")
             oke_workload_signer = oci.auth.signers.get_oke_workload_identity_resource_principal_signer()
             client = client_type(config={"region": config_json["region"]}, signer=oke_workload_signer)
+            if not config.tenancy:
+                token = oke_workload_signer.get_security_token()
+                payload_part = token.split(".")[1]
+                padding = "=" * (-len(payload_part) % 4)
+                decoded_bytes = base64.urlsafe_b64decode(payload_part + padding)
+                payload = json.loads(decoded_bytes)
+                config.tenancy = payload.get("tenant")
         elif config_json["authentication"] == "security_token" and config_json["security_token_file"]:
             logger.info("OCI Authentication with Security Token")
             token = None
diff --git a/src/server/api/v1/oci.py b/src/server/api/v1/oci.py
@@ -66,7 +66,7 @@ async def oci_get(
 async def oci_list_regions(
     auth_profile: schema.OCIProfileType,
 ) -> list:
-    """Return a list of compartments"""
+    """Return a list of regions"""
     logger.debug("Received oci_list_regions - auth_profile: %s", auth_profile)
     try:
         oci_config = await oci_get(auth_profile=auth_profile)
@@ -84,7 +84,7 @@ async def oci_list_regions(
 async def oci_list_genai(
     auth_profile: schema.OCIProfileType,
 ) -> list:
-    """Return a list of compartments"""
+    """Return a list of genai service models"""
     logger.debug("Received oci_list_genai - auth_profile: %s", auth_profile)
     try:
         oci_config = await oci_get(auth_profile=auth_profile)
