Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Move away from client-secret in favor of service connections #4341

Open
ellismg opened this issue Sep 18, 2024 · 1 comment
Open

ci: Move away from client-secret in favor of service connections #4341

ellismg opened this issue Sep 18, 2024 · 1 comment
Assignees
@ellismg
Labels
engineering item
Milestone
Sep 2024

Comments

@ellismg
Copy link
Member

ellismg commented Sep 18, 2024

Historically we used a client id and client secret pair to authenticate (for both azd itself and other tools it calls, like terraform) in CI. This worked, but the downside of it is that there was a long-lived secret (the client secret) that we had to protect and update.

To mitigate this, our central engineering team is trying to adopt service connections for all our CI jobs. This means that we need to move away from our client-secret based authentication and towards something that uses service connections. For azd itself, it means teaching it how to use something like AzurePipelinesCredential and then updating our jobs to use it.

I'm not sure what the exact answer is for terraform yet. For places we use az we already have an answer via the AzureCLI@2 task which works with service connections.

Since our builds are presently on the floor due to an expired client secret (which we don't want to renew) we'll do this in two parts:

  1. Move away from client-secret by delegating auth where we can to the az CLI via the (auth.useAzCliAuth config flag we have) and disabling whatever tests we can't make work quickly with this. This gets our builds green again.

  2. Do the work to teach azd how to natively authenticate using a service connection (and figure out how to configure any other tools like terraform to work in this world) and re-enable any tests disabled as part of (1).
@ellismg ellismg added this to the Sep 2024 milestone Sep 18, 2024
@ellismg ellismg self-assigned this Sep 18, 2024
ellismg added a commit to ellismg/azure-dev that referenced this issue Sep 18, 2024
@ellismg
chore: Use federated auth in CI
6992411 
Move away from a long lived client secret for auth during CI testing
in favor of federated credentials via a service connection.

(To unblock the builds I am seeing how far we can get with our old
trick of delegating stuff to `az` before we teach `azd` how to use
`AzurePipelinesCredential`.)

Contributes To Azure#4341
@ellismg ellismg mentioned this issue Sep 18, 2024
Merged
ellismg added a commit to ellismg/azure-dev that referenced this issue Sep 18, 2024
@ellismg
WIP: Support OIDC in Azure Pipelines
7dbed7b 
This change teaches `azd` how to login using a service connection for
an OIDC like experience when running in Azure Pipelines using service
connections and then updates our pipelines to use this authentication
strategy.

Contributes To Azure#4341
@ellismg ellismg mentioned this issue Sep 18, 2024
Draft
ellismg added a commit to ellismg/azure-dev that referenced this issue Sep 18, 2024
@ellismg
WIP: Support OIDC in Azure Pipelines
ba39a27 
This change teaches `azd` how to login using a service connection for
an OIDC like experience when running in Azure Pipelines using service
connections and then updates our pipelines to use this authentication
strategy.

Contributes To Azure#4341
ellismg added a commit to ellismg/azure-dev that referenced this issue Sep 18, 2024
@ellismg
WIP: Support OIDC in Azure Pipelines
d340e85 
This change teaches `azd` how to login using a service connection for
an OIDC like experience when running in Azure Pipelines using service
connections and then updates our pipelines to use this authentication
strategy.

Contributes To Azure#4341
ellismg added a commit to ellismg/azure-dev that referenced this issue Sep 18, 2024
@ellismg
WIP: Support OIDC in Azure Pipelines
6d6aec1 
This change teaches `azd` how to login using a service connection for
an OIDC like experience when running in Azure Pipelines using service
connections and then updates our pipelines to use this authentication
strategy.

Contributes To Azure#4341
@ellismg
Copy link
Member Author

ellismg commented Sep 18, 2024

For terraform, I thought that I could be clever and build a ARM_OIDC_REQUEST_URL as outlined in https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_oidc#configuring-terraform-to-use-oidc and have that just work for OIDC auth based on what AzurePipelinesCredential, but it did not seem to. I got this error:

cli.go:235: 14.306s [stderr] │ Error: building account: could not acquire access token to parse claims: githubAssertion: received HTTP status 405 with response: {"count":1,"value":{"Message":"The requested resource does not support http method 'GET'."}}

Could be I screwed something up with the URL building however, so I need to dig in more.

ellismg added a commit to ellismg/azure-dev that referenced this issue Sep 18, 2024
@ellismg
WIP: Support OIDC in Azure Pipelines
f22a1ca 
This change teaches `azd` how to login using a service connection for
an OIDC like experience when running in Azure Pipelines using service
connections and then updates our pipelines to use this authentication
strategy.

Contributes To Azure#4341
ellismg added a commit that referenced this issue Sep 18, 2024
@ellismg
chore: Use federated auth in CI (#4340)
13b5ad0 
Move away from a long lived client secret for auth during CI testing
in favor of federated credentials via a service connection.

(To unblock the builds I am seeing how far we can get with our old
trick of delegating stuff to `az` before we teach `azd` how to use
`AzurePipelinesCredential`.)

Contributes To #4341
ellismg added a commit to ellismg/azure-dev that referenced this issue Sep 20, 2024
@ellismg
WIP: Support OIDC in Azure Pipelines
0a257b5 
This change teaches `azd` how to login using a service connection for
an OIDC like experience when running in Azure Pipelines using service
connections and then updates our pipelines to use this authentication
strategy.

Contributes To Azure#4341
ellismg added a commit to ellismg/azure-dev that referenced this issue Sep 20, 2024
@ellismg
WIP: Support OIDC in Azure Pipelines
2ee5a78 
This change teaches `azd` how to login using a service connection for
an OIDC like experience when running in Azure Pipelines using service
connections and then updates our pipelines to use this authentication
strategy.

Contributes To Azure#4341
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ellismg ellismg

Labels
engineering item
Projects
None yet
Milestone
Sep 2024
Development

No branches or pull requests
1 participant
@ellismg