github.com/grailbio/base@v0.0.11/cmd/grail-access/doc.go

github.com/grailbio/base@v0.0.11/cmd/grail-access/doc.go (about)

     1  // This file was auto-generated via go generate.
     2  // DO NOT UPDATE MANUALLY
     3  
     4  /*
     5  Command grail-access creates Vanadium credentials (also called principals) using
     6  either Google ID tokens (the default) or the AWS IAM role attached to an EC2
     7  instance (requested using the '-ec2' flag).
     8  
     9  For the Google-based auth the user will be prompted to go through an OAuth flow
    10  that requires minimal permissions (only 'Know who you are on Google') and
    11  obtains an ID token scoped to the clientID expected by the server. The ID token
    12  is presented to the server via a Vanadium RPC. For a 'xxx@grailbio.com' email
    13  address the server will hand to the client a '[server]:google:xxx@grailbio.com'
    14  blessing where '[server]' is the blessing of the server.
    15  
    16  For the EC2-based auth an instance with ID 'i-0aec7b085f8432699' in the account
    17  number '619867110810' using the 'adhoc' role the server will hand to the client
    18  a '[server]:ec2:619867110810:role:adhoc:i-0aec7b085f8432699' blessing where
    19  'server' is the blessing of the server.
    20  
    21  Usage:
    22     grail-access [flags]
    23  
    24  The grail-access flags are:
    25   -bless-remotes=true
    26     Whether to attempt to bless remotes with local blessings; only applies to
    27     Google blessings
    28   -bless-remotes-targets=ec2-name:ubuntu@adhoc.jjc.*
    29     Comma-separated list of targets to bless; targets may be
    30     "ssh:[user@]host[:port]" SSH destinations or
    31     "ec2-name:[user@]ec2-instance-name-filter" EC2 instance name filters; see
    32     https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html
    33   -blesser=
    34     Flow specific blesser endpoint to use. Defaults to
    35     /ticket-server.eng.grail.com:8102/blesser/<flow>.
    36   -browser=true
    37     Attempt to open a browser.
    38   -ca-crt=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
    39     Path to ca.crt file.
    40   -dir=/mnt/home/jjc/.v23
    41     Where to store the Vanadium credentials. NOTE: the content will be erased if
    42     the credentials are regenerated.
    43   -do-not-refresh-duration=168h0m0s
    44     Do not refresh credentials if they are present and do not expire within this
    45     duration.
    46   -dump=false
    47     If credentials are present, dump them on the console instead of refreshing
    48     them.
    49   -ec2=false
    50     Use the role of the EC2 VM.
    51   -ec2-instance-identity-url=http://169.254.169.254/latest/dynamic/instance-identity/pkcs7
    52     URL for fetching instance identity document, for testing
    53   -expiry-caveat=
    54     Duration of expiry caveat added to blessings (for testing); empty means no
    55     caveat added
    56   -google-oauth2-url=https://accounts.google.com/o/oauth2
    57     URL for oauth2 API calls, for testing
    58   -internal-bless-remotes-mode=
    59     (INTERNAL) Controls the mode in which we run for the remote blessing
    60     protocol; one of {public-key,receive,send}
    61   -k8s=false
    62     Use the Kubernetes flow.
    63   -namespace=/var/run/secrets/kubernetes.io/serviceaccount/namespace
    64     Path to namespace file.
    65   -region=us-west-2
    66     AWS EKS region to use for k8s cluster token review.
    67   -token=/var/run/secrets/kubernetes.io/serviceaccount/token
    68     Path to token file.
    69  
    70  The global flags are:
    71   -alsologtostderr=true
    72     log to standard error as well as files
    73   -log_backtrace_at=:0
    74     when logging hits line file:N, emit a stack trace
    75   -log_dir=
    76     if non-empty, write log files to this directory
    77   -logtostderr=false
    78     log to standard error instead of files
    79   -max_stack_buf_size=4292608
    80     max size in bytes of the buffer to use for logging stack traces
    81   -metadata=<just specify -metadata to activate>
    82     Displays metadata for the program and exits.
    83   -stderrthreshold=2
    84     logs at or above this threshold go to stderr
    85   -time=false
    86     Dump timing information to stderr before exiting the program.
    87   -v=0
    88     log level for V logs
    89   -v23.credentials=
    90     directory to use for storing security credentials
    91   -v23.namespace.root=[/(v23.grail.com:internal:mounttabled)@ns-0.v23.grail.com:8101,/(v23.grail.com:internal:mounttabled)@ns-1.v23.grail.com:8101,/(v23.grail.com:internal:mounttabled)@ns-2.v23.grail.com:8101]
    92     local namespace root; can be repeated to provided multiple roots
    93   -v23.permissions.file=
    94     specify a perms file as <name>:<permsfile>
    95   -v23.permissions.literal=
    96     explicitly specify the runtime perms as a JSON-encoded access.Permissions.
    97     Overrides all --v23.permissions.file flags
    98   -v23.proxy=
    99     object name of proxy service to use to export services across network
   100     boundaries
   101   -v23.proxy.limit=0
   102     max number of proxies to connect to when the policy is to connect to all
   103     proxies; 0 implies all proxies
   104   -v23.proxy.policy=
   105     policy for choosing from a set of available proxy instances
   106   -v23.tcp.address=
   107     address to listen on
   108   -v23.tcp.protocol=
   109     protocol to listen with
   110   -v23.virtualized.advertise-private-addresses=
   111     if set the process will also advertise its private addresses
   112   -v23.virtualized.disallow-native-fallback=false
   113     if set, a failure to detect the requested virtualization provider will result
   114     in an error, otherwise, native mode is used
   115   -v23.virtualized.dns.public-name=
   116     if set the process will use the supplied dns name (and port) without
   117     resolution for its entry in the mounttable
   118   -v23.virtualized.docker=
   119     set if the process is running in a docker container and needs to configure
   120     itself differently therein
   121   -v23.virtualized.provider=
   122     the name of the virtualization/cloud provider hosting this process if the
   123     process needs to configure itself differently therein
   124   -v23.virtualized.tcp.public-address=
   125     if set the process will use this address (resolving via dns if appropriate)
   126     for its entry in the mounttable
   127   -v23.virtualized.tcp.public-protocol=
   128     if set the process will use this protocol for its entry in the mounttable
   129   -v23.vtrace.cache-size=1024
   130     The number of vtrace traces to store in memory
   131   -v23.vtrace.collect-regexp=
   132     Spans and annotations that match this regular expression will trigger trace
   133     collection
   134   -v23.vtrace.dump-on-shutdown=true
   135     If true, dump all stored traces on runtime shutdown
   136   -v23.vtrace.enable-aws-xray=false
   137     Enable the use of AWS x-ray integration with vtrace
   138   -v23.vtrace.root-span-name=
   139     Set the name of the root vtrace span created by the runtime at startup
   140   -v23.vtrace.sample-rate=0
   141     Rate (from 0.0 to 1.0) to sample vtrace traces
   142   -v23.vtrace.v=0
   143     The verbosity level of the log messages to be captured in traces
   144   -vmodule=
   145     comma-separated list of globpattern=N settings for filename-filtered logging
   146     (without the .go suffix).  E.g. foo/bar/baz.go is matched by patterns baz or
   147     *az or b* but not by bar/baz or baz.go or az or b.*
   148   -vpath=
   149     comma-separated list of regexppattern=N settings for file pathname-filtered
   150     logging (without the .go suffix).  E.g. foo/bar/baz.go is matched by patterns
   151     foo/bar/baz or fo.*az or oo/ba or b.z but not by foo/bar/baz.go or fo*az
   152  */
   153  package main