IBM
diff --git a/‎Authentication.md
Lines changed: 127 additions & 5 deletions b/‎Authentication.md
Lines changed: 127 additions & 5 deletions
diff --git a/‎src/main/java/com/ibm/cloud/sdk/core/security/Authenticator.java
Lines changed: 4 additions & 0 deletions b/‎src/main/java/com/ibm/cloud/sdk/core/security/Authenticator.java
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/main/java/com/ibm/cloud/sdk/core/security/AuthenticatorBase.java
Lines changed: 1 addition & 0 deletions b/‎src/main/java/com/ibm/cloud/sdk/core/security/AuthenticatorBase.java
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/main/java/com/ibm/cloud/sdk/core/security/ConfigBasedAuthenticatorFactory.java
Lines changed: 10 additions & 3 deletions b/‎src/main/java/com/ibm/cloud/sdk/core/security/ConfigBasedAuthenticatorFactory.java
Lines changed: 10 additions & 3 deletions
@@ -1,9 +1,10 @@
 # Authentication
 The java-sdk-core project supports the following types of authentication:
 - Basic Authentication
-- Bearer Token 
-- Identity and Access Management (IAM)
-- Cloud Pak for Data
+- Bearer Token Authentication
+- Identity and Access Management (IAM) Authentication
+- Container Authentication
+- Cloud Pak for Data Authentication
 - No Authentication
 
 The SDK user configures the appropriate type of authentication for use with service instances.  
@@ -23,15 +24,20 @@ configuration information.  The configuration examples below will use
 environment variables, although the same properties could be specified in a
 credentials file instead.
 
+
 ## Basic Authentication
 The `BasicAuthenticator` is used to add Basic Authentication information to
 each outbound request in the `Authorization` header in the form:
 ```
    Authorization: Basic <encoded username and password>
 ```
+
 ### Properties
+
 - username: (required) the basic auth username
+
 - password: (required) the basic auth password
+
 ### Programming example
 ```java
 import com.ibm.cloud.sdk.core.security.BasicAuthenticator;
@@ -48,6 +54,7 @@ ExampleService service = new ExampleService(authenticator);
 
 // 'service' can now be used to invoke operations.
 ```
+
 ### Configuration example
 External configuration:
 ```
@@ -69,14 +76,18 @@ ExampleService service = new ExampleService(authenticator);
 // 'service' can now be used to invoke operations.
 ```
 
+
 ## Bearer Token Authentication
 The `BearerTokenAuthenticator` will add a user-supplied bearer token to
 each outbound request in the `Authorization` header in the form:
 ```
     Authorization: Bearer <bearer-token>
 ```
+
 ### Properties
+
 - bearerToken: (required) the bearer token value
+
 ### Programming example
 ```java
 import com.ibm.cloud.sdk.core.security.BearerTokenAuthenticator;
@@ -96,6 +107,7 @@ ExampleService service = new ExampleService(authenticator);
 newToken = // ... obtain new bearer token value
 authenticator.setBearerToken(newToken);
 ```
+
 ### Configuration example
 External configuration:
 ```
@@ -120,13 +132,15 @@ ExampleService service = new ExampleService(authenticator);
 newToken = // ... obtain new bearer token value
 ((BearerTokenAuthenticator) authenticator).setBearerToken(newToken);
 ```
+
 Note that the use of external configuration is not as useful with the `BearerTokenAuthenticator` as it
 is for other authenticator types because bearer tokens typically need to be obtained and refreshed
 programmatically since they normally have a relatively short lifespan before they expire.  This
 authenticator type is intended for situations in which the application will be managing the bearer 
 token itself in terms of initial acquisition and refreshing as needed.
 
-## Identity and Access Management Authentication (IAM)
+
+## Identity and Access Management (IAM) Authentication
 The `IamAuthenticator` will accept a user-supplied api key and will perform
 the necessary interactions with the IAM token service to obtain a suitable
 bearer token for the specified api key.  The authenticator will also obtain 
@@ -136,18 +150,25 @@ form:
 ```
    Authorization: Bearer <bearer-token>
 ```
+
 ### Properties
+
 - apikey: (required) the IAM api key
+
 - url: (optional) The URL representing the IAM token service endpoint.  If not specified, a suitable
 default value is used.
+
 - clientId/clientSecret: (optional) The `clientId` and `clientSecret` fields are used to form a 
 "basic auth" Authorization header for interactions with the IAM token server. If neither field 
 is specified, then no Authorization header will be sent with token server requests.  These fields 
 are optional, but must be specified together.
+
 - disableSSLVerification: (optional) A flag that indicates whether verificaton of the server's SSL 
 certificate should be disabled or not. The default value is `false`.
+
 - headers: (optional) A set of key/value pairs that will be sent as HTTP headers in requests
 made to the IAM token service.
+
 ### Programming example
 ```java
 import com.ibm.cloud.sdk.core.security.IamAuthenticator;
@@ -163,6 +184,7 @@ ExampleService service = new ExampleService(authenticator);
 
 // 'service' can now be used to invoke operations.
 ```
+
 ### Configuration example
 External configuration:
 ```
@@ -183,7 +205,99 @@ ExampleService service = new ExampleService(authenticator);
 // 'service' can now be used to invoke operations.
 ```
 
-##  Cloud Pak for Data
+
+## Container Authentication
+The `ContainerAuthenticator` is intended to be used by application code
+running inside a compute resource managed by the IBM Kubernetes Service (IKS)
+in which a secure compute resource token (CR token) has been stored in a file
+within the compute resource's local file system.
+The CR token is similar to an IAM apikey except that it is managed automatically by
+the compute resource provider (IKS).
+This allows the application developer to:
+- avoid storing credentials in application code, configuraton files or a password vault
+- avoid managing or rotating credentials
+
+The `ContainerAuthenticator` will retrieve the CR token from
+the compute resource in which the application is running, and will then perform
+the necessary interactions with the IAM token service to obtain an IAM access token
+using the IAM "get token" operation with grant-type `cr-token`.
+The authenticator will repeat these steps to obtain a new IAM access token when the
+current access token expires.
+The IAM access token is added to each outbound request in the `Authorization` header in the form:
+```
+   Authorization: Bearer <IAM-access-token>
+```
+
+### Properties
+
+- crTokenFilename: (optional) the name of the file containing the injected CR token value.
+If not specified, then `/var/run/secrets/tokens/vault-token` is used as the default value.
+The application must have `read` permissions on the file containing the CR token value.
+
+- iamProfileName: (optional) the name of the linked trusted IAM profile to be used when obtaining the
+IAM access token (a CR token might map to multiple IAM profiles).
+One of `iamProfileName` or `iamProfileID` must be specified.
+
+- iamProfileID: (optional) the id of the linked trusted IAM profile to be used when obtaining the
+IAM access token (a CR token might map to multiple IAM profiles).
+One of `iamProfileName` or `iamProfileID` must be specified.
+
+- url: (optional) The base endpoint URL of the IAM token service.
+The default value of this property is the "prod" IAM token service endpoint
+(`https://iam.cloud.ibm.com`).
+
+- clientId/clientSecret: (optional) The `clientId` and `clientSecret` fields are used to form a 
+"basic auth" Authorization header for interactions with the IAM token service. If neither field 
+is specified, then no Authorization header will be sent with token server requests.  These fields 
+are optional, but must be specified together.
+
+- scope: (optional) the scope to be associated with the IAM access token.
+If not specified, then no scope will be associated with the access token.
+
+- disableSSLVerification: (optional) A flag that indicates whether verificaton of the server's SSL 
+certificate should be disabled or not. The default value is `false`.
+
+- headers: (optional) A set of key/value pairs that will be sent as HTTP headers in requests
+made to the IAM token service.
+
+### Programming example
+```java
+import com.ibm.cloud.sdk.core.security.ContainerAuthenticator;
+import <sdk_base_package>.ExampleService.v1.ExampleService;
+...
+// Create the authenticator.
+ContainerAuthenticator authenticator = new ContainerAuthenticator.Builder()
+    .iamProfileName("iam-user123")
+    .build();
+
+// Create the service instance.
+ExampleService service = new ExampleService(authenticator);
+
+// 'service' can now be used to invoke operations.
+```
+
+### Configuration example
+External configuration:
+```
+export EXAMPLE_SERVICE_AUTH_TYPE=container
+export EXAMPLE_SERVICE_IAM_PROFILE_NAME=iam-user123
+```
+Application code:
+```java
+import com.ibm.cloud.sdk.core.security.ConfigBaseAuthenticatorFactory;
+import <sdk_base_package>.ExampleService.v1.ExampleService;
+...
+// Create the authenticator.
+Authenticator authenticator = ConfigBasedAuthenticatorFactory.getAuthenticator("example_service");
+
+// Create the service instance.
+ExampleService service = new ExampleService(authenticator);
+
+// 'service' can now be used to invoke operations.
+```
+
+
+##  Cloud Pak for Data Authentication
 The `CloudPakForDataAuthenticator` will accept user-supplied values for the username and either a password or apikey, and will 
 perform the necessary interactions with the Cloud Pak for Data token service to obtain a suitable
 bearer token.  The authenticator will also obtain a new bearer token when the current token expires.
@@ -192,15 +306,23 @@ form:
 ```
    Authorization: Bearer <bearer-token>
 ```
+
 ### Properties
+
 - username: (required) the username used to obtain a bearer token.
+
 - password: (required if apikey is not specified) the password used to obtain a bearer token.
+
 - apikey: (required if password is not specified) the apikey used to obtain a bearer token.
+
 - url: (required) The base URL associated with the Cloud Pak for Data token service.
+
 - disableSSLVerification: (optional) A flag that indicates whether verificaton of the server's SSL 
 certificate should be disabled or not. The default value is `false`.
+
 - headers: (optional) A set of key/value pairs that will be sent as HTTP headers in requests
 made to the IAM token service.
+
 ### Programming example
 ```java
 import com.ibm.cloud.sdk.core.security.CloudPakForDataAuthenticator;
 
@@ -29,6 +29,7 @@ public interface Authenticator {
   String AUTHTYPE_CP4D = "cp4d";
   String AUTHTYPE_CP4D_SERVICE = "cp4dService";
   String AUTHTYPE_BEARER_TOKEN = "bearerToken";
+  String AUTHTYPE_CONTAINER = "container";
 
   /**
    * Constants which define the names of external config propreties (credential file, environment variable, etc.).
@@ -48,6 +49,9 @@ public interface Authenticator {
   String PROPNAME_PERMISSIONS = "PERMISSIONS";
   String PROPNAME_EXPIRATION_TIME = "EXPIRATION_TIME";
   String PROPNAME_SERVICE_BROKER_SECRET = "SERVICE_BROKER_SECRET";
+  String PROPNAME_CR_TOKEN_FILENAME = "CR_TOKEN_FILENAME";
+  String PROPNAME_IAM_PROFILE_ID = "IAM_PROFILE_ID";
+  String PROPNAME_IAM_PROFILE_NAME = "IAM_PROFILE_NAME";
 
   /**
    * Validates the current set of configuration information in the Authenticator.
 
@@ -30,6 +30,7 @@ public class AuthenticatorBase {
       "The %s property is invalid. Please remove any surrounding {, }, or \" characters.";
   public static final String ERRORMSG_REQ_FAILED = "Error while fetching access token from token service: ";
   public static final String ERRORMSG_EXCLUSIVE_PROP_ERROR = "Exactly one of %s or %s must be specified.";
+  public static final String ERRORMSG_ATLEAST_ONE_PROP_ERROR = "At least one of %s or %s must be specified.";
   public static final String ERRORMSG_PROP_INVALID_INTEGER_VALUE =
           "The %s property must be a valid integer but was %s.";
   /**
 
@@ -61,10 +61,15 @@ public static Authenticator getAuthenticator(String serviceName) {
   private static Authenticator createAuthenticator(Map<String, String> props) {
     Authenticator authenticator = null;
 
-    // If auth type was not specified, we'll use "iam" as the default.
+    // If auth type was not specified, we'll use "iam" as the default if the "apikey" property
+    // is present, otherwise we'll use "container" as the default.
     String authType = props.get(Authenticator.PROPNAME_AUTH_TYPE);
     if (StringUtils.isEmpty(authType)) {
-      authType = Authenticator.AUTHTYPE_IAM;
+      if (props.get(Authenticator.PROPNAME_APIKEY) != null || props.get("IAM_APIKEY") != null) {
+        authType = Authenticator.AUTHTYPE_IAM;
+      } else {
+        authType = Authenticator.AUTHTYPE_CONTAINER;
+      }
     }
 
     // Create the appropriate authenticator based on the auth type.
@@ -76,8 +81,10 @@ private static Authenticator createAuthenticator(Map<String, String> props) {
       authenticator = CloudPakForDataAuthenticator.fromConfiguration(props);
     } else if (authType.equalsIgnoreCase(Authenticator.AUTHTYPE_CP4D_SERVICE)) {
       authenticator = CloudPakForDataServiceAuthenticator.fromConfiguration(props);
-    }  else if (authType.equalsIgnoreCase(Authenticator.AUTHTYPE_IAM)) {
+    } else if (authType.equalsIgnoreCase(Authenticator.AUTHTYPE_IAM)) {
       authenticator = IamAuthenticator.fromConfiguration(props);
+    } else if (authType.equalsIgnoreCase(Authenticator.AUTHTYPE_CONTAINER)) {
+      authenticator = ContainerAuthenticator.fromConfiguration(props);
     } else if (authType.equalsIgnoreCase(Authenticator.AUTHTYPE_NOAUTH)) {
       authenticator = new NoAuthAuthenticator(props);
     } else {