Overview
The Credentials service allows you to regenerate and manage access credentials for both S3-compatible and SFTP storage:
- S3 Credentials: Access key and secret key pairs for S3 API authentication
- SFTP Credentials: Passwords and SSH keys for SFTP authentication
Regenerating credentials will invalidate existing credentials. Update all applications using the old credentials before regenerating.
Regenerating S3 Credentials
Generate new S3 access and secret keys:
import (
"context"
"github.com/G-Core/gcore-go"
"github.com/G-Core/gcore-go/packages/param"
"github.com/G-Core/gcore-go/storage"
)
client := gcore.NewClient()
params := storage.CredentialRecreateParams{
GenerateS3Keys: param.NewOpt(true),
}
updatedStorage, err := client.Storage.Credentials.Recreate(
context.Background(),
storageID,
params,
)
if err != nil {
// Handle error
}
fmt.Printf("New Access Key: %s\n", updatedStorage.Credentials.S3.AccessKey)
fmt.Printf("New Secret Key: %s\n", updatedStorage.Credentials.S3.SecretKey)
Parameters
ID of the S3-compatible storage instance
Set to true to generate new S3 access and secret keys
Response
Returns a Storage object with the new credentials populated:
credentials.s3.access_key
New S3-compatible access key identifier
credentials.s3.secret_key
New S3-compatible secret key (store securely)
Managing SFTP Passwords
Generating a New SFTP Password
Automatically generate a secure random password:
params := storage.CredentialRecreateParams{
GenerateSftpPassword: param.NewOpt(true),
}
updatedStorage, err := client.Storage.Credentials.Recreate(
context.Background(),
sftpStorageID,
params,
)
if err != nil {
// Handle error
}
fmt.Printf("New SFTP Password: %s\n", updatedStorage.Credentials.SftpPassword)
Setting a Custom SFTP Password
Provide your own password:
params := storage.CredentialRecreateParams{
SftpPassword: param.NewOpt("MySecurePassword123!"),
}
updatedStorage, err := client.Storage.Credentials.Recreate(
context.Background(),
sftpStorageID,
params,
)
if err != nil {
// Handle error
}
fmt.Printf("Set SFTP Password: %s\n", updatedStorage.Credentials.SftpPassword)
Removing SFTP Password
Disable password authentication (SSH key authentication only):
params := storage.CredentialRecreateParams{
DeleteSftpPassword: param.NewOpt(true),
}
updatedStorage, err := client.Storage.Credentials.Recreate(
context.Background(),
sftpStorageID,
params,
)
if err != nil {
// Handle error
}
fmt.Println("SFTP password authentication disabled")
After removing the SFTP password, only SSH key-based authentication will be available.
Managing SSH Keys
Resetting SSH Keys
Remove all SSH key associations from SFTP storage:
params := storage.CredentialRecreateParams{
ResetSftpKeys: param.NewOpt(true),
}
updatedStorage, err := client.Storage.Credentials.Recreate(
context.Background(),
sftpStorageID,
params,
)
if err != nil {
// Handle error
}
fmt.Println("All SSH keys removed from storage")
Viewing Associated SSH Keys
Check which SSH keys are currently linked to SFTP storage:
storageDetails, err := client.Storage.Get(
context.Background(),
sftpStorageID,
)
if err != nil {
// Handle error
}
if len(storageDetails.Credentials.Keys) > 0 {
fmt.Printf("Associated SSH Keys (%d):\n", len(storageDetails.Credentials.Keys))
for _, key := range storageDetails.Credentials.Keys {
fmt.Printf(" - ID: %d, Name: %s, Created: %s\n",
key.ID, key.Name, key.CreatedAt)
}
} else {
fmt.Println("No SSH keys associated")
}
Credential Parameters
The CredentialRecreateParams supports the following options:
Generate new S3 access and secret keys (for S3-compatible storage)
Generate a new random SFTP password (for SFTP storage)
Set a custom SFTP password (for SFTP storage)
Remove SFTP password authentication (for SFTP storage)
Remove all SSH key associations (for SFTP storage)
Complete Example
Here’s a comprehensive example demonstrating credential management:
package main
import (
"context"
"fmt"
"log"
"github.com/G-Core/gcore-go"
"github.com/G-Core/gcore-go/packages/param"
"github.com/G-Core/gcore-go/storage"
)
func main() {
client := gcore.NewClient()
ctx := context.Background()
// Regenerate S3 credentials
s3StorageID := int64(12345)
updatedS3, err := client.Storage.Credentials.Recreate(
ctx,
s3StorageID,
storage.CredentialRecreateParams{
GenerateS3Keys: param.NewOpt(true),
},
)
if err != nil {
log.Fatalf("Failed to regenerate S3 credentials: %v", err)
}
fmt.Println("New S3 Credentials:")
fmt.Printf(" Access Key: %s\n", updatedS3.Credentials.S3.AccessKey)
fmt.Printf(" Secret Key: %s\n", updatedS3.Credentials.S3.SecretKey)
// Manage SFTP credentials
sftpStorageID := int64(67890)
// Generate new password
updatedSFTP, err := client.Storage.Credentials.Recreate(
ctx,
sftpStorageID,
storage.CredentialRecreateParams{
GenerateSftpPassword: param.NewOpt(true),
},
)
if err != nil {
log.Fatalf("Failed to regenerate SFTP password: %v", err)
}
fmt.Println("\nNew SFTP Credentials:")
fmt.Printf(" Password: %s\n", updatedSFTP.Credentials.SftpPassword)
// Set custom password
updatedSFTP, err = client.Storage.Credentials.Recreate(
ctx,
sftpStorageID,
storage.CredentialRecreateParams{
SftpPassword: param.NewOpt("MyCustomPassword456!"),
},
)
if err != nil {
log.Fatalf("Failed to set custom password: %v", err)
}
fmt.Println("\nSet Custom SFTP Password:")
fmt.Printf(" Password: %s\n", updatedSFTP.Credentials.SftpPassword)
// Disable password authentication
_, err = client.Storage.Credentials.Recreate(
ctx,
sftpStorageID,
storage.CredentialRecreateParams{
DeleteSftpPassword: param.NewOpt(true),
},
)
if err != nil {
log.Fatalf("Failed to remove SFTP password: %v", err)
}
fmt.Println("\nSFTP password authentication disabled")
// Re-enable with new password
updatedSFTP, err = client.Storage.Credentials.Recreate(
ctx,
sftpStorageID,
storage.CredentialRecreateParams{
GenerateSftpPassword: param.NewOpt(true),
},
)
if err != nil {
log.Fatalf("Failed to re-enable password: %v", err)
}
fmt.Println("\nPassword Authentication Re-enabled:")
fmt.Printf(" New Password: %s\n", updatedSFTP.Credentials.SftpPassword)
}
Security Best Practices
- Store Securely: Never commit credentials to version control or logs
- Rotate Regularly: Regenerate credentials periodically for security
- Use Environment Variables: Store credentials in environment variables
- Limit Exposure: Only share credentials with authorized applications
- Monitor Usage: Track credential usage and regenerate if compromised
- Prefer SSH Keys: For SFTP, SSH keys are more secure than passwords
Credential Storage Example
import (
"os"
"fmt"
)
// Store credentials in environment variables
func storeCredentials(accessKey, secretKey string) {
os.Setenv("GCORE_S3_ACCESS_KEY", accessKey)
os.Setenv("GCORE_S3_SECRET_KEY", secretKey)
}
// Retrieve credentials from environment
func getCredentials() (string, string) {
accessKey := os.Getenv("GCORE_S3_ACCESS_KEY")
secretKey := os.Getenv("GCORE_S3_SECRET_KEY")
return accessKey, secretKey
}
Error Handling
Always handle errors when regenerating credentials:
updatedStorage, err := client.Storage.Credentials.Recreate(
context.Background(),
storageID,
params,
)
if err != nil {
// Check for specific error types
if strings.Contains(err.Error(), "not found") {
log.Printf("Storage %d not found", storageID)
} else if strings.Contains(err.Error(), "permission") {
log.Printf("Insufficient permissions")
} else {
log.Printf("Failed to regenerate credentials: %v", err)
}
return
}
// Use new credentials
fmt.Printf("Credentials regenerated successfully\n")
Notes
- Credentials are only returned in the API response when created or regenerated
- The
Get method will not return sensitive credential values
- Old credentials become invalid immediately after regeneration
- Update all clients before regenerating production credentials
See Also
