Advanced Programmatic Provisioning
This appendix provides further context around the programmatic bootstrapping of the initial administrator account on a fresh Posit Connect instance.
More specifically, this appendix supports users who are utilizing custom client tooling instead of using the Json Web Token (JWT) request implementation provided by rsconnect-python
. The rsconnect-python
implementation is the recommended approach for most use cases and is described in the core programmatic provisioning section of the admin guide.
Rationale
Under typical operation, many of the provisioning endpoints in Posit Connect require user authentication. Posit Connect assumes that most of the provisioning work will be performed by an admin-scoped user account with a provisioned API key.
This creates a circular dependency on a fresh Posit Connect installation with no users. There are no user accounts, and therefore, there are no user-associated API keys that can provide access to relevant provisioning endpoints.
To break this circular dependency, Posit Connect provides a bootstrapping endpoint that accepts a JSON Web Token (JWT) for authorization. This endpoint produces the first admin-scoped API key for use in subsequent provisioning steps.
Integration with rsconnect-python
Because we have no admin-scoped API keys on a fresh Connect instance, Posit Connect authorizes the request from rsconnect-python
with a JWT. The JWT produced by rsconnect-python
is signed with a base64-encoded secret key and is scoped to request access to Posit Connect’s bootstrapping endpoint.
Posit Connect is configured with knowledge of the same base64-encoded secret key that was used by rsconnect-python
to sign the JWT. This allows Connect to verify that the token was signed using the expected secret key and not modified during transit.
If the JWT passes signature verification, contains the correct information, and has not expired, Connect will grant access to the bootstrapping endpoint, which creates an initial administrator account and provisions an affiliated API key. This API key is returned in the server response and is available client-side for use in subsequent provisioning requests.
Security Practices
The secret key used by the JWT signature/verification algorithm must be base64-encoded. rsconnect-python
requires that the base64-decoded key must be at least 32 bytes in length. Best practices also recommend that the secret key be generated using a cryptographically secure source of randomness, and that key length should be a function of the the signing algorithm.
For more details on best practices / standards regarding the keys used in HS256 signatures / verification, see:
RFC 7518 Section 3.2 for the HS256 minimum key length (256 bits/32 bytes).
RFC 4868 Section 2.1.2-2.6 for a description of the HMAC-SHA-256+ algorithms. RFC 4868 Section 2.1.3 specifically notes the importance of strong pseudo-randomness.
Custom Clients
The following section provides the implementation details needed for any custom client-side tooling meant to replace rsconnect-python
.
An example cURL
request which would replace rsconnect-python
might look like:
curl -H "Authorization: Connect-Bootstrap <YOUR.JWT.HERE>" \
-X POST http://connect:3939/__api__/v1/bootstrap
JWT Schema
Posit Connect Expects the JWT to be signed using the HS256 algorithm. Therefore, the expected JWT header is:
{
"alg": "HS256",
"typ": "JWT",
}
The expected JWT payload is:
{
"iss": "rsconnect-python",
"aud": "rsconnect",
"scope": "bootstrap",
"iat": <now>,
"exp": <some-future-time>
}
Additional information on the JWT standard is provided at jwt.io.
Request Schema
The bootstrap endpoint is located at POST /__api__/v1/bootstrap
. The endpoint expects the JWT to be provided in the Authorization
header under the Connect-Bootstrap
schema.