IAM | Save ARN for accounts in secret

[naveenpaul1]

Explain the changes

1. Save ARN for accounts in secret and return it in create and status CLI command

Issues: Fixed #xxx / Gap #xxx

Testing Instructions:

1. Create account from noobaa CLI

Note: OBC accounts can not create IAM users and OBC account is not part of this change

• Doc added/updated
• Tests added

Summary by CodeRabbit

• New Features

  • Account creation responses now include both account ID and Amazon Resource Name (ARN).
  • ARN is recorded alongside account credentials and persisted for object-bucket state.

• Status/Display

  • ARN is included in account secret data and shown in account status outputs when secrets are displayed.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds ARN propagation: new Id and ARN fields on account reply; ARN included in secret output filtering (printed unconditionally); ARN persisted into NooBaa account secrets during reconciliation; ARN recorded in ObjectBucket AdditionalState after account creation. (≤50 words)

Changes

Cohort / File(s)	Change Summary
Account Response Type pkg/nb/types.go	Added two new exported fields to CreateAccountReply: Id (string) with JSON tag \"id\" and ARN (string) with JSON tag \"arn\". Existing fields (Token, AccessKeys) unchanged.
Secret Output Filtering pkg/noobaaaccount/noobaaaccount.go	Extended RunStatus secret key handling to include ARN alongside AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY; ARN is now included in output (printed unconditionally), while AWS keys continue to be masked or shown based on ShowSecrets.
Account Secret Storage (Reconciler) pkg/noobaaaccount/reconciler.go	Persisted account ARN into reconciliation secret StringData[\"ARN\"] in both remote-operator and non-remote paths (set from accountInfo.ARN) alongside token and access keys.
OBC State Update pkg/obc/provisioner.go	After account creation, wrote accountInfo.ARN into r.OB.Spec.AdditionalState[\"arn\"] and reassigned AdditionalState.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Validate JSON field naming consistency (Id vs ID) across clients and API contracts.
• Confirm all CreateAccountReply (de)serialization sites handle the new fields.
• Review secret handling to ensure ARN exposure matches security expectations (verify whether it should be printed when ShowSecrets is false).
• Check pkg/obc/provisioner.go for nil AdditionalState handling and downstream consumers of AdditionalState["arn"].

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: saving ARN for accounts in a secret and returning it in CLI commands.
Description check	✅ Passed	The description covers the main changes, testing instructions, and notes about OBC accounts, though the Issues section is left empty.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

pkg/noobaaaccount/reconciler.go (2)

383-383: Remove redundant type conversion and add defensive check for ARN.

The type conversion string(accountInfo.ARN) is unnecessary since ARN is already a string in the CreateAccountReply struct. Additionally, there's no validation that the ARN field is populated before storing it.

Apply this diff:

-			r.Secret.StringData["ARN"] = string(accountInfo.ARN)
+			if accountInfo.ARN != "" {
+				r.Secret.StringData["ARN"] = accountInfo.ARN
+			}

---

385-402: Handle backward compatibility for ARN like AccessKeys.

The code has fallback logic for AccessKeys when talking to older NooBaa versions (lines 388-398), but no similar handling for ARN. If the NooBaa API doesn't return ARN (older versions or API changes), an empty string will be silently stored in the secret.

Consider applying consistent handling:

 		var accessKeys nb.S3AccessKeys
 		// if we didn't get the access keys in the create_account reply we might be talking to an older noobaa version (prior to 5.1)
 		// in that case try to get it using read account
 		if len(accountInfo.AccessKeys) == 0 {
 			log.Info("CreateAccountAPI did not return access keys. calling ReadAccountAPI to get keys..")
 			readAccountReply, err := r.NBClient.ReadAccountAPI(nb.ReadAccountParams{Email: r.NooBaaAccount.Name})
 			if err != nil {
 				return err
 			}
 			accessKeys = readAccountReply.AccessKeys[0]
+			if readAccountReply.ARN != "" {
+				accountInfo.ARN = readAccountReply.ARN
+			}
 		} else {
 			accessKeys = accountInfo.AccessKeys[0]
 		}
 		r.Secret.StringData = map[string]string{}
 		r.Secret.StringData["AWS_ACCESS_KEY_ID"] = string(accessKeys.AccessKey)
 		r.Secret.StringData["AWS_SECRET_ACCESS_KEY"] = string(accessKeys.SecretKey)
-		r.Secret.StringData["ARN"] = string(accountInfo.ARN)
+		if accountInfo.ARN != "" {
+			r.Secret.StringData["ARN"] = accountInfo.ARN
+		}

Note: Verify that AccountInfo struct (from ReadAccountAPI) also has the ARN field, or adjust accordingly.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 078a893 and 98a35e6.

📒 Files selected for processing (3)

• pkg/nb/types.go (1 hunks)
• pkg/noobaaaccount/noobaaaccount.go (1 hunks)
• pkg/noobaaaccount/reconciler.go (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: Neon-White
Repo: noobaa/noobaa-operator PR: 1587
File: pkg/system/reconciler.go:287-291
Timestamp: 2025-07-14T10:59:21.959Z
Learning: NooBaa operator design constraint: Multiple NooBaa instances are not supported in the same namespace, only across different namespaces. This means hard-coded resource names like ConfigMaps are acceptable within a namespace scope.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-kms-kmip-test
• GitHub Check: run-cli-tests
• GitHub Check: run-azure-vault-test
• GitHub Check: run-kms-dev-test
• GitHub Check: run-admission-test
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-core-config-map-tests
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-hac-test
• GitHub Check: golangci-lint
• GitHub Check: run-operator-tests

🔇 Additional comments (3)

pkg/nb/types.go (1)

414-415: LGTM! Clean API response structure extension.

The new Id and ARN fields follow Go naming conventions and are properly tagged for JSON serialization.

pkg/noobaaaccount/noobaaaccount.go (1)

486-486: LGTM! Properly includes ARN in status output.

The condition correctly extends the filtered keys to include ARN alongside AWS credentials for display.

pkg/noobaaaccount/reconciler.go (1)

385-402: Verify ARN availability in ReadAccountAPI response.

The concern raised about whether the AccountInfo struct (used by ReadAccountAPI) includes an ARN field requires verification against the actual API contract. The code at lines 385-402 accesses accountInfo.ARN unconditionally after both CreateAccountAPI and ReadAccountAPI paths, so clarification is needed on whether:

1. The NooBaa API returns ARN in both create and read account responses
2. The AccountInfo struct definition includes the ARN field
3. Error handling is appropriate if ARN is unavailable from ReadAccountAPI

Please confirm the struct definition and API behavior to ensure consistent handling of the ARN field across both code paths.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/nb/types.go (1)

414-415: LGTM! New fields support ARN propagation.

The addition of Id and ARN fields correctly extends CreateAccountReply to include account identifiers returned by the API.

Minor: Consider renaming Id to ID to follow Go naming conventions for initialisms, unless the lowercase form is required to match the exact API response format.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 98a35e6 and 88ce48f.

📒 Files selected for processing (4)

• pkg/nb/types.go (1 hunks)
• pkg/noobaaaccount/noobaaaccount.go (1 hunks)
• pkg/noobaaaccount/reconciler.go (2 hunks)
• pkg/obc/provisioner.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/noobaaaccount/noobaaaccount.go
• pkg/noobaaaccount/reconciler.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-core-config-map-tests
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-admission-test
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-operator-tests
• GitHub Check: golangci-lint
• GitHub Check: run-kms-dev-test
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-cli-tests
• GitHub Check: run-azure-vault-test
• GitHub Check: run-hac-test
• GitHub Check: run-kms-tls-sa-test

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/nb/types.go (1)

412-418: CreateAccountReply additions look correct; consider idiomatic ID naming

The added Id and ARN fields with json:"id" / json:"arn" tags look consistent with the intended API and are backward compatible with older responses. From a Go style perspective, acronyms are usually all caps (e.g., ID rather than Id), and this file already follows that pattern elsewhere (AzureTenantID, AzureClientID, etc.). If you’re okay touching this now, renaming to ID would make the API more idiomatic, while keeping the JSON tag as json:"id" to avoid breaking the wire format:

-type CreateAccountReply struct {
-	Id         string         `json:"id"`
-	ARN        string         `json:"arn"`
-	Token      string         `json:"token"`
-	AccessKeys []S3AccessKeys `json:"access_keys"`
-}
+type CreateAccountReply struct {
+	ID         string         `json:"id"`
+	ARN        string         `json:"arn"`
+	Token      string         `json:"token"`
+	AccessKeys []S3AccessKeys `json:"access_keys"`
+}

If there are many existing references expecting Id, treating this as a follow‑up cleanup is also acceptable.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2672bb4 and a9b3486.

📒 Files selected for processing (4)

• pkg/nb/types.go (1 hunks)
• pkg/noobaaaccount/noobaaaccount.go (1 hunks)
• pkg/noobaaaccount/reconciler.go (2 hunks)
• pkg/obc/provisioner.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/noobaaaccount/noobaaaccount.go
• pkg/noobaaaccount/reconciler.go
• pkg/obc/provisioner.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-admission-test
• GitHub Check: golangci-lint
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-operator-tests
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-hac-test
• GitHub Check: run-cli-tests
• GitHub Check: run-core-config-map-tests
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-azure-vault-test
• GitHub Check: run-kms-dev-test
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-kms-tls-token-test

[shirady]

Will we see in the CLI the printed ARN of the OBC?
If not, perhaps you can add one.

[naveenpaul1]

We are not listing any OBC accounts and couldnt get details with status command

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f1863a7 and d7ad849.

📒 Files selected for processing (4)

• pkg/nb/types.go (1 hunks)
• pkg/noobaaaccount/noobaaaccount.go (1 hunks)
• pkg/noobaaaccount/reconciler.go (2 hunks)
• pkg/obc/provisioner.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/noobaaaccount/noobaaaccount.go
• pkg/obc/provisioner.go
• pkg/noobaaaccount/reconciler.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-cli-tests
• GitHub Check: golangci-lint
• GitHub Check: run-hac-test
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-operator-tests
• GitHub Check: run-admission-test
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-azure-vault-test
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-core-config-map-tests
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-kms-dev-test