Skip to content

fix: skip Authorization header for list-zones#14

Draft
natalie-o-perret wants to merge 2 commits intomainfrom
fix/list-zones-no-iam-check
Draft

fix: skip Authorization header for list-zones#14
natalie-o-perret wants to merge 2 commits intomainfrom
fix/list-zones-no-iam-check

Conversation

@natalie-o-perret
Copy link
Copy Markdown

@natalie-o-perret natalie-o-perret commented Apr 28, 2026
edited
Loading

/zone is public but the server enforces IAM on authenticated requests, so a DBaaS-only key gets 403 for no reason.

x-skip-auth: true is added to the list-zones operation in the spec. The api.mustache template wraps the signing block in a {{^vendorExtensions.x-skip-auth}} guard, so the generated listZonesRequestBuilder sends no Authorization header.

The update workflow injects the extension after fetching the upstream spec, so the guard survives future automated spec updates.

Snippet used to verify:

import com.exoscale.sdk.api.ExoscaleApi;
import com.exoscale.sdk.client.ApiClient;
import com.exoscale.sdk.client.Credentials;
import com.exoscale.sdk.model.ListZones200Response;
import com.exoscale.sdk.model.Zone;

Credentials creds = new Credentials(key, secret);
ApiClient apiClient = new ApiClient(creds);
apiClient.updateBaseUri("https://api-ch-gva-2.exoscale.com/v2");

ExoscaleApi api = new ExoscaleApi(apiClient);
ListZones200Response resp = api.listZones();
System.out.printf("ok: %d zones%n", resp.getZones().size());
for (Zone z : resp.getZones()) {
    System.out.printf("  - %s%n", z.getName());
}

Before (main, DBaaS-only key):

error 403: {"message":"Invalid request signature"}

After (this branch, same key):

ok: 8 zones
  - ch-gva-2
  - ch-dk-2
  - at-vie-1
  - de-fra-1
  - bg-sof-1
  - de-muc-1
  - at-vie-2
  - hr-zag-1

Related: exoscale/egoscale#767, exoscale/python-exoscale#90

Note

AI-assisted.

@natalie-o-perret
fix: skip Authorization header for list-zones
03253f7 
The /zone endpoint enforces IAM policies on authenticated requests,
causing 403 for restricted keys (e.g. DBaaS-only) even though it
returns public data.

Add x-skip-auth to the list-zones operation in the spec. The
api.mustache template wraps the signing block in a
{{^vendorExtensions.x-skip-auth}} guard, so the generated
listZonesRequestBuilder omits the Authorization header.

The update workflow injects the extension after fetching the spec so
the guard survives future automated spec updates.

pom.xml now reads the local api/openapi.yaml instead of fetching the
spec at build time, consistent with the workflow change.

Same fix applied to the Go SDK: exoscale/egoscale#767
Same fix applied to the Python SDK: exoscale/python-exoscale#90
@natalie-o-perret natalie-o-perret mentioned this pull request Apr 28, 2026
Draft
@natalie-o-perret natalie-o-perret mentioned this pull request Apr 28, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@natalie-o-perret