From b6c36b38e26a143320aff352c6f0d0fb80929c82 Mon Sep 17 00:00:00 2001 From: dishankj-max Date: Thu, 8 Jan 2026 16:13:57 +0530 Subject: [PATCH 1/3] Fix(BREV-2357): CloudCredId in nebius cloud --- v1/providers/nebius/instance.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/v1/providers/nebius/instance.go b/v1/providers/nebius/instance.go index 6593313..3465ee6 100644 --- a/v1/providers/nebius/instance.go +++ b/v1/providers/nebius/instance.go @@ -133,6 +133,7 @@ func (c *NebiusClient) CreateInstance(ctx context.Context, attrs v1.CreateInstan createReq.Metadata.Labels["created-by"] = "brev-cloud-sdk" createReq.Metadata.Labels["brev-user"] = attrs.RefID createReq.Metadata.Labels["environment-id"] = attrs.RefID + createReq.Metadata.Labels["cloud-cred-ref-id"] = c.refID // Store creator's cloud credential ID for authorization // Track associated resources for cleanup createReq.Metadata.Labels["network-id"] = networkID createReq.Metadata.Labels["subnet-id"] = subnetID @@ -276,13 +277,25 @@ func (c *NebiusClient) convertNebiusInstanceToV1(ctx context.Context, instance * // Extract labels from metadata var tags map[string]string var refID string + var cloudCredRefID string var instanceTypeID string if instance.Metadata != nil && len(instance.Metadata.Labels) > 0 { tags = instance.Metadata.Labels refID = instance.Metadata.Labels["brev-user"] // Extract from labels if available + cloudCredRefID = instance.Metadata.Labels["cloud-cred-ref-id"] // Extract creator's cloud credential ID instanceTypeID = instance.Metadata.Labels["instance-type-id"] // Full instance type ID (dot format) } + // Backward compatibility: if cloudCredRefID is not in labels (instances created before this fix), + // fall back to using the current client's refID. This maintains existing behavior for old instances + // but is less secure - those instances won't have proper authorization checks. + if cloudCredRefID == "" { + cloudCredRefID = c.refID + c.logger.Warn(ctx, "instance missing cloud-cred-ref-id label, using current client refID.", + v1.LogField("instanceID", instance.Metadata.Id), + v1.LogField("instanceName", instance.Metadata.Name)) + } + // If instance type ID is not in labels (older instances), reconstruct it from platform + preset // This is a fallback for backwards compatibility if instanceTypeID == "" && instance.Spec.Resources != nil { @@ -336,7 +349,7 @@ func (c *NebiusClient) convertNebiusInstanceToV1(ctx context.Context, instance * inst := &v1.Instance{ RefID: refID, - CloudCredRefID: c.refID, + CloudCredRefID: cloudCredRefID, // Use creator's cloud credential ID from labels, not current client's ID Name: instance.Metadata.Name, CloudID: instanceID, Location: location, From 64bac8f9a2d638696da68ec548c7c0c59f1eccca Mon Sep 17 00:00:00 2001 From: dishankj-max Date: Thu, 8 Jan 2026 19:17:39 +0530 Subject: [PATCH 2/3] Fix checkstyle --- v1/providers/nebius/instance.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v1/providers/nebius/instance.go b/v1/providers/nebius/instance.go index 3465ee6..a04cdea 100644 --- a/v1/providers/nebius/instance.go +++ b/v1/providers/nebius/instance.go @@ -281,7 +281,7 @@ func (c *NebiusClient) convertNebiusInstanceToV1(ctx context.Context, instance * var instanceTypeID string if instance.Metadata != nil && len(instance.Metadata.Labels) > 0 { tags = instance.Metadata.Labels - refID = instance.Metadata.Labels["brev-user"] // Extract from labels if available + refID = instance.Metadata.Labels["brev-user"] // Extract from labels if available cloudCredRefID = instance.Metadata.Labels["cloud-cred-ref-id"] // Extract creator's cloud credential ID instanceTypeID = instance.Metadata.Labels["instance-type-id"] // Full instance type ID (dot format) } From 1a1875591dcf2a517f6b4c0b910e7057c3058ba4 Mon Sep 17 00:00:00 2001 From: dishankj-max Date: Thu, 8 Jan 2026 19:23:31 +0530 Subject: [PATCH 3/3] Fix gofumpt formatting for nebius instance.go --- v1/providers/nebius/instance.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/v1/providers/nebius/instance.go b/v1/providers/nebius/instance.go index a04cdea..2275c5a 100644 --- a/v1/providers/nebius/instance.go +++ b/v1/providers/nebius/instance.go @@ -281,9 +281,9 @@ func (c *NebiusClient) convertNebiusInstanceToV1(ctx context.Context, instance * var instanceTypeID string if instance.Metadata != nil && len(instance.Metadata.Labels) > 0 { tags = instance.Metadata.Labels - refID = instance.Metadata.Labels["brev-user"] // Extract from labels if available + refID = instance.Metadata.Labels["brev-user"] // Extract from labels if available cloudCredRefID = instance.Metadata.Labels["cloud-cred-ref-id"] // Extract creator's cloud credential ID - instanceTypeID = instance.Metadata.Labels["instance-type-id"] // Full instance type ID (dot format) + instanceTypeID = instance.Metadata.Labels["instance-type-id"] // Full instance type ID (dot format) } // Backward compatibility: if cloudCredRefID is not in labels (instances created before this fix),