Federated credentials (microsoft#1094)

If the AppSourceContext doesn't contain a clientSecret, then we assume that federated credentials have been assigned and are available, so we will try to get an ID_TOKEN and use clientAssertion instead Same with other Auth Context's - if they contain a clientId and no clientSecret, we will use clientAssertion instead. Azure_Credentials also supports app registrations or managed identities with federated credentials if it contains a clientId without a clientSecret Here are the supported formats for the various auth contexts: ## STORAGECONTEXT (for deliver to storage) **Managed Identity/Federated credential** `{"storageAccountName":"storageaccountname","clientId":"08b6d80c-68cf-48f9-a5ff-b054326e2ec3","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","containerName":"{project}","blobName":"{version}/{project}-{type}.zip"}` **App Registration/Federated credential** `{"storageAccountName":"storageaccountname","clientId":"a26651f5-0e90-473c-b4f9-e96119aac8b8","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","containerName":"{project}","blobName":"{version}/{project}-{type}.zip"}` **App Registration/Client Secret** `{"storageAccountName":"storageaccountname","clientId":"a26651f5-0e90-473c-b4f9-e96119aac8b8","clientSecret":"OPXxxxxxxxxxxxxxxxxxxxxxxabge","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","containerName":"{project}","blobName":"{version}/{project}-{type}.zip"}` **storageAccountName/sastoken** `{"storageAccountName":"storageaccountname","sastoken":"sv=2022-11-02&ss=b&srt=sco&sp=rwdlaciytf&se=2024-08-06T20:22:08Z&st=2024-04-06T12:22:08Z&spr=https&sig=IZyIf5xxxxxxxxxxxxxxb5I%3D","containerName":"{project}","blobName":"{version}/{project}-{type}.zip"}` **storageAccountName/storageAccountKey** `{"storageAccountName":"storageaccountname","storageAccountKey":"JHFZErCyxxxxxxxxxxxxxxxxXQ==","containerName":"{project}","blobName":"{version}/{project}-{type}.zip"}` ## AZURE_CREDENTIALS (connection to Azure for secrets and signing) **Access Configuration = Azure role-based access control** ``` Access Control: Action Role Read secrets Key Vault Secrets User Sign Apps Key Vault Crypto User + Key Vault Certificate User ``` **Access Configuration = Vault Access Policy** ``` Action Permissions: Read secrets Secret permissions: Get, List Sign apps Cryptographic Operations: Sign + Certificate permissions: Get ``` **Managed Identity/Federated credential** `{"keyVaultName":"BuildVariables","clientId":"55ce849b-c99d-484c-8999-df9f8df958bd","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47"}` **App Registration/Federated credential** `{"keyVaultName":"BuildVariables","clientId":"a26651f5-0e90-473c-b4f9-e96119aac8b8","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47"}` **App Registration/Client Secret** `{"keyVaultName":"BuildVariables","clientId":"a26651f5-0e90-473c-b4f9-e96119aac8b8","clientSecret":"OPXxxxxxxxxxxxxxxxxxxxxxxabge","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47"}` ## APPSOURCECONTEXT (for deliver to AppSource) **Managed identity not possible - as this is not an Azure resource** **App Registration/Federated credential** `{"clientId":"a26651f5-0e90-473c-b4f9-e96119aac8b8","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","Scopes":"https://api.partner.microsoft.com/.default"}` **App Registration/Client Secret** `{"clientId":"a26651f5-0e90-473c-b4f9-e96119aac8b8","clientSecret":"OPXxxxxxxxxxxxxxxxxxxxxxxabge","tenantId":"72f988bf-86f1-41af-91ab-2d7cd011db47","Scopes":"https://api.partner.microsoft.com/.default"}` ## AUTHCONTEXT (for deploy to Business Central) **Managed identity not possible - as this is not an Azure resource** **Impersonation/RefreshToken** `{"TenantID":"69cb4a05-4ea8-482d-9f33-10fb5cf7db05","Scopes":"https://api.businesscentral.dynamics.com/","RefreshToken":"0.AUUAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_s6Eo4YOI","ClientID":"1950a258-227b-4e31-a9cf-717495945fc2"}` **App Registration/Federated credential** `{"TenantID":"69cb4a05-4ea8-482d-9f33-10fb5cf7db05","Scopes":"https://api.businesscentral.dynamics.com/","ClientID":"a26651f5-0e90-473c-b4f9-e96119aac8b8"}` **App Registration/Client Secret** `{"TenantID":"69cb4a05-4ea8-482d-9f33-10fb5cf7db05","Scopes":"https://api.businesscentral.dynamics.com/","ClientID":"a26651f5-0e90-473c-b4f9-e96119aac8b8","ClientSecret":"OPXxxxxxxxxxxxxxxxxxxxxxxabge"}` TODOs - [x] Add documentation in codesigning.md (rbac) - [x] Add documentation for appSourceContext federated credentials - [x] Add documentation for other auth contexts - [x] Add aka.ms/algosecrets#secretname - [x] Add End 2 End test testing all these auth methods This PR also switches to always use the Az PowerShell module (instead of the deprecated AzureRM PowerShell module installed on GitHub Hosted Windows runners) Fixes microsoft#947 --------- Co-authored-by: freddydk <[email protected]> Co-authored-by: Maria Zhelezova <[email protected]> Co-authored-by: Alexander Holstrup <[email protected]>
mazhelez · Jun 25, 2024 · 9aa6e6f · 9aa6e6f
1 parent 7a66ed6
commit 9aa6e6f
Show file tree

Hide file tree

Showing 54 changed files with 669 additions and 251 deletions.
diff --git a/.github/workflows/E2E.yaml b/.github/workflows/E2E.yaml
@@ -182,7 +182,7 @@ jobs:
           Write-Host "scenarios=$scenariosJson"
 
   Scenario:
-    runs-on: [ ubuntu-latest ]
+    runs-on: [ windows-latest ]
     needs: [ Check, SetupRepositories, Analyze ]
     if: github.event.inputs.runScenarios == 'true'
     strategy: ${{ fromJson(needs.Analyze.outputs.scenarios) }}

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -6,7 +6,7 @@ repos:
     rev: 0.7.17
     hooks:
       - id: mdformat
-        args: [--end-of-line=crlf]
+        args: [--end-of-line=keep]
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.5.0

diff --git a/Actions/AL-Go-Helper.ps1 b/Actions/AL-Go-Helper.ps1
@@ -1269,21 +1269,25 @@ function GetProjectFolders {
     $projectFolders
 }
 
-function installModules {
+function InstallModule {
     Param(
-        [String[]] $modules
+        [String] $name,
+        [System.Version] $minimumVersion = $null
     )
 
-    $modules | ForEach-Object {
-        if (-not (get-installedmodule -Name $_ -ErrorAction SilentlyContinue)) {
-            Write-Host "Installing module $_"
-            Install-Module $_ -Force | Out-Null
-        }
+    if ($null -eq $minimumVersion) {
+        $minimumVersion = [System.Version](GetPackageVersion -packageName $name)
+    }
+    $module = Get-Module -name $name -ListAvailable | Select-Object -First 1
+    if ($module -and $module.Version -ge $minimumVersion) {
+        Write-Host "Module $name is available in version $($module.Version)"
     }
-    $modules | ForEach-Object {
-        Write-Host "Importing module $_"
-        Import-Module $_ -DisableNameChecking -WarningAction SilentlyContinue | Out-Null
+    else {
+        Write-Host "Installing module $name (minimum version $minimumVersion)"
+        Install-Module -Name $name -MinimumVersion "$minimumVersion" -Force | Out-Null
     }
+    Write-Host "Importing module $name (minimum version $minimumVersion)"
+    Import-Module -Name $name -MinimumVersion $minimumVersion -DisableNameChecking -WarningAction SilentlyContinue | Out-Null
 }
 
 function CloneIntoNewFolder {
@@ -1329,7 +1333,7 @@ function CommitFromNewFolder {
     Param(
         [string] $serverUrl,
         [string] $commitMessage,
-        [string] $body = '',
+        [string] $body = $commitMessage,
         [string] $branch
     )
 
@@ -1664,7 +1668,7 @@ function CreateDevEnv {
 
             if (($settings.keyVaultName) -and -not ($bcAuthContext)) {
                 Write-Host "Reading Key Vault $($settings.keyVaultName)"
-                installModules -modules @('Az.KeyVault')
+                InstallAzModuleIfNeeded -name 'Az.KeyVault'
 
                 if ($kind -eq "local") {
                     $LicenseFileSecret = Get-AzKeyVaultSecret -VaultName $settings.keyVaultName -Name $settings.licenseFileUrlSecretName
@@ -2357,14 +2361,80 @@ function GetProjectsFromRepository {
     return @(GetMatchingProjects -projects $projects -selectProjects $selectProjects)
 }
 
-function Get-PackageVersion($PackageName) {
+function GetPackageVersion($packageName) {
     $alGoPackages = Get-Content -Path "$PSScriptRoot\Packages.json" | ConvertFrom-Json
 
     # Check if the package is in the list of packages
-    if ($alGoPackages.PSobject.Properties.name -match $PackageName) {
-        return $alGoPackages.$PackageName
+    if ($alGoPackages.PSobject.Properties.name -eq $PackageName) {
+        return $alGoPackages."$PackageName"
     }
     else {
         throw "Package $PackageName is not in the list of packages"
     }
 }
+
+function InstallAzModuleIfNeeded {
+    Param(
+        [string] $name,
+        [System.version] $minimumVersion = $null
+    )
+
+    if ($null -eq $minimumVersion) {
+        $minimumVersion = [System.Version](GetPackageVersion -packageName $name)
+    }
+    $azModule = Get-Module -Name $name
+    if ($azModule -and $azModule.Version -ge $minimumVersion) {
+        # Already installed
+        return
+    }
+    # GitHub hosted Linux runners have AZ PowerShell module saved in /usr/share/powershell/Modules/Az.*
+    if ($isWindows) {
+        # GitHub hosted Windows Runners have AzureRm PowerShell modules installed (deprecated)
+        # GitHub hosted Windows Runners have AZ PowerShell module saved in C:\Modules\az_*
+        # Remove AzureRm modules from PSModulePath and add AZ modules
+        if (Test-Path 'C:\Modules\az_*') {
+            $azModulesPath = Get-ChildItem 'C:\Modules\az_*' | Where-Object { $_.PSIsContainer }
+            if ($azModulesPath) {
+              Write-Host "Adding AZ module path: $($azModulesPath.FullName)"
+              $ENV:PSModulePath = "$($azModulesPath.FullName);$(("$ENV:PSModulePath".Split(';') | Where-Object { $_ -notlike 'C:\\Modules\Azure*' }) -join ';')"
+            }
+        }
+    }
+    InstallModule -name $name -minimumVersion $minimumVersion
+}
+
+function ConnectAz {
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '', Justification = 'GitHub Secrets come in as plain text')]
+    param(
+        [PsCustomObject] $azureCredentials
+    )
+    try {
+        Clear-AzContext -Scope Process
+        Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
+        if ($azureCredentials.PSObject.Properties.Name -eq 'ClientSecret' -and $azureCredentials.ClientSecret) {
+            Write-Host "Connecting to Azure using clientId and clientSecret."
+            $credential = New-Object pscredential -ArgumentList $azureCredentials.ClientId, (ConvertTo-SecureString -string $azureCredentials.ClientSecret -AsPlainText -Force)
+            Connect-AzAccount -ServicePrincipal -Tenant $azureCredentials.TenantId -Credential $credential -WarningAction SilentlyContinue | Out-Null
+        }
+        else {
+            try {
+                Write-Host "Query federated token"
+                $result = Invoke-RestMethod -Method GET -UseBasicParsing -Headers @{ "Authorization" = "bearer $ENV:ACTIONS_ID_TOKEN_REQUEST_TOKEN"; "Accept" = "application/vnd.github+json" } -Uri "$ENV:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
+            }
+            catch {
+                throw "Unable to get federated token, maybe id_token: write permissions are missing. Error was $($_.Exception.Message)"
+            }
+            Write-Host "Connecting to Azure using clientId and federated token."
+            Connect-AzAccount -ApplicationId $azureCredentials.ClientId -Tenant $azureCredentials.TenantId -FederatedToken $result.value -WarningAction SilentlyContinue | Out-Null
+        }
+        if ($azureCredentials.PSObject.Properties.Name -eq 'SubscriptionId' -and $azureCredentials.SubscriptionId) {
+            Write-Host "Selecting subscription $($azureCredentials.SubscriptionId)"
+            Set-AzContext -SubscriptionId $azureCredentials.SubscriptionId -Tenant $azureCredentials.TenantId -ErrorAction SilentlyContinue -WarningAction SilentlyContinue | Out-Null
+        }
+        $script:keyvaultConnectionExists = $true
+        Write-Host "Successfully connected to Azure"
+    }
+    catch {
+        throw "Error trying to authenticate to Azure. Error was $($_.Exception.Message)"
+    }
+}
diff --git a/Actions/Deliver/Deliver.ps1 b/Actions/Deliver/Deliver.ps1
@@ -20,31 +20,49 @@
     [bool] $goLive
 )
 
-$telemetryScope = $null
-
-function EnsureAzStorageModule() {
-    if (get-command New-AzStorageContext -ErrorAction SilentlyContinue) {
-        Write-Host "Using Az.Storage PowerShell module"
+function ConnectAzStorageAccount {
+    Param(
+        [PSCustomObject] $storageAccountCredentials
+    )
+
+    $azStorageContext = $null
+    if ($storageAccountCredentials.PSObject.Properties.Name -eq 'sastoken') {
+        try {
+            Write-Host "Creating AzStorageContext based on StorageAccountName and sastoken"
+            $azStorageContext = New-AzStorageContext -StorageAccountName $storageAccountCredentials.StorageAccountName -SasToken $storageAccountCredentials.sastoken
+        }
+        catch {
+            throw "Unable to create AzStorageContext based on StorageAccountName and sastoken. Error was: $($_.Exception.Message)"
+        }
     }
-    else {
-        $azureStorageModule = Get-Module -name 'Azure.Storage' -ListAvailable | Select-Object -First 1
-        if ($azureStorageModule) {
-            Write-Host "Azure.Storage Module is available in version $($azureStorageModule.Version)"
-            Write-Host "Using Azure.Storage version $($azureStorageModule.Version)"
-            Import-Module  'Azure.Storage' -DisableNameChecking -WarningAction SilentlyContinue | Out-Null
-            Set-Alias -Name New-AzStorageContext -Value New-AzureStorageContext -Scope Script
-            Set-Alias -Name Get-AzStorageContainer -Value Get-AzureStorageContainer -Scope Script
-            Set-Alias -Name New-AzStorageContainer -Value New-AzureStorageContainer -Scope Script
-            Set-Alias -Name Set-AzStorageBlobContent -Value Set-AzureStorageBlobContent -Scope Script
+    elseif ($storageAccountCredentials.PSObject.Properties.Name -eq 'StorageAccountKey') {
+        try {
+            Write-Host "Creating AzStorageContext based on StorageAccountName and StorageAccountKey"
+            $azStorageContext = New-AzStorageContext -StorageAccountName $storageAccountCredentials.StorageAccountName -StorageAccountKey $storageAccountCredentials.StorageAccountKey
         }
-        else {
-            Write-Host "Installing and importing Az.Storage."
-            Install-Module 'Az.Storage' -Force
-            Import-Module  'Az.Storage' -DisableNameChecking -WarningAction SilentlyContinue | Out-Null
+        catch {
+            throw "Unable to create AzStorageContext based on StorageAccountName and StorageAccountKey. Error was: $($_.Exception.Message)"
         }
     }
+    elseif (($storageAccountCredentials.PSObject.Properties.Name -eq 'clientID') -and ($storageAccountCredentials.PSObject.Properties.Name -eq 'tenantID')) {
+        try {
+            InstallAzModuleIfNeeded -name 'Az.Accounts'
+            ConnectAz -azureCredentials $storageAccountCredentials
+            Write-Host "Creating AzStorageContext based on StorageAccountName and managed identity/app registration"
+            $azStorageContext = New-AzStorageContext -StorageAccountName $storageAccountCredentials.StorageAccountName -UseConnectedAccount
+        }
+        catch {
+            throw "Unable to create AzStorageContext based on StorageAccountName and managed identity. Error was: $($_.Exception.Message)"
+        }
+    }
+    else {
+        throw "Insufficient information in StorageContext secret. See https://aka.ms/algosettings#storagecontext for details"
+    }
+    return $azStorageContext
 }
 
+$telemetryScope = $null
+
 try {
     . (Join-Path -Path $PSScriptRoot -ChildPath "../AL-Go-Helper.ps1" -Resolve)
     DownloadAndImportBcContainerHelper
@@ -315,35 +333,17 @@ try {
             Push-BcNuGetPackage -nuGetServerUrl $nuGetServerUrl -nuGetToken $nuGetToken -bcNuGetPackage $package
         }
         elseif ($deliveryTarget -eq "Storage") {
-            EnsureAzStorageModule
+            InstallAzModuleIfNeeded -name 'Az.Storage'
             try {
-                $storageAccount = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($secrets.storageContext)) | ConvertFrom-Json | ConvertTo-HashTable
-                # Check that containerName and blobName are present
-                $storageAccount.containerName | Out-Null
-                $storageAccount.blobName | Out-Null
+                $storageAccountCredentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($secrets.storageContext)) | ConvertFrom-Json
+                $storageAccountCredentials.StorageAccountName | Out-Null
+                $storageContainerName =  $storageAccountCredentials.ContainerName.ToLowerInvariant().replace('{project}',$projectName).replace('{branch}',$refname).ToLowerInvariant()
+                $storageBlobName = $storageAccountCredentials.BlobName.ToLowerInvariant()
             }
             catch {
-                throw "StorageContext secret is malformed. Needs to be formatted as Json, containing StorageAccountName, containerName, blobName and sastoken or storageAccountKey.`nError was: $($_.Exception.Message)"
-            }
-            if ($storageAccount.Keys -contains 'sastoken') {
-                try {
-                    $azStorageContext = New-AzStorageContext -StorageAccountName $storageAccount.StorageAccountName -SasToken $storageAccount.sastoken
-                }
-                catch {
-                    throw "Unable to create AzStorageContext based on StorageAccountName and sastoken.`nError was: $($_.Exception.Message)"
-                }
+                throw "StorageContext secret is malformed. Needs to be formatted as Json, containing StorageAccountName, containerName, blobName.`nError was: $($_.Exception.Message)"
             }
-            else {
-                try {
-                    $azStorageContext = New-AzStorageContext -StorageAccountName $storageAccount.StorageAccountName -StorageAccountKey $storageAccount.StorageAccountKey
-                }
-                catch {
-                    throw "Unable to create AzStorageContext based on StorageAccountName and StorageAccountKey.`nError was: $($_.Exception.Message)"
-                }
-            }
-
-            $storageContainerName =  $storageAccount.ContainerName.ToLowerInvariant().replace('{project}',$projectName).replace('{branch}',$refname).ToLowerInvariant()
-            $storageBlobName = $storageAccount.BlobName.ToLowerInvariant()
+            $azStorageContext = ConnectAzStorageAccount -storageAccountCredentials $storageAccountCredentials
             Write-Host "Storage Container Name is $storageContainerName"
             Write-Host "Storage Blob Name is $storageBlobName"
 
@@ -360,7 +360,7 @@ try {
                 New-AzStorageContainer -Context $azStorageContext -Name $storageContainerName | Out-Null
             }
 
-            Write-Host "Delivering to $storageContainerName in $($storageAccount.StorageAccountName)"
+            Write-Host "Delivering to $storageContainerName in $($storageAccountCredentials.StorageAccountName)"
             $atypes.Split(',') | ForEach-Object {
                 $atype = $_
                 Write-Host "Looking for: $project-$refname-$atype-*.*.*.*"
@@ -415,7 +415,8 @@ try {
             # if type is Release, we only get here with the projects that needs to be delivered to AppSource
             # if type is CD, we get here for all projects, but should only deliver to AppSource if AppSourceContinuousDelivery is set to true
             if ($type -eq 'Release' -or $projectSettings.deliverToAppSource.continuousDelivery) {
-                EnsureAzStorageModule
+                # AppSource submission requires the Az.Storage module
+                InstallAzModuleIfNeeded -name 'Az.Storage'
                 $appSourceContext = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($secrets.appSourceContext)) | ConvertFrom-Json | ConvertTo-HashTable
                 if (!$appSourceContext) {
                     throw "appSourceContext secret is missing"

diff --git a/Actions/Deploy/Deploy.ps1 b/Actions/Deploy/Deploy.ps1
@@ -20,16 +20,6 @@ $deploymentSettings = $deploymentEnvironments."$environmentName"
 $envName = $environmentName.Split(' ')[0]
 $secrets = $env:Secrets | ConvertFrom-Json
 
-# Check obsolete secrets
-"$($envName)-EnvironmentName","$($envName)_EnvironmentName","EnvironmentName" | ForEach-Object {
-    if ($secrets."$_") {
-        throw "The secret $_ is obsolete and should be replaced by using the EnvironmentName property in the DeployTo$envName setting in .github/AL-Go-Settings.json instead"
-    }
-}
-if ($secrets.Projects) {
-    throw "The secret Projects is obsolete and should be replaced by using the Projects property in the DeployTo$envName setting in .github/AL-Go-Settings.json instead"
-}
-
 $authContext = $null
 foreach($secretName in "$($envName)-AuthContext","$($envName)_AuthContext","AuthContext") {
     if ($secrets."$secretName") {
@@ -110,7 +100,7 @@ else {
 
     try {
         $sandboxEnvironment = ($response.environmentType -eq 1)
-        if ($sandboxEnvironment -and !($bcAuthContext.ClientSecret)) {
+        if ($sandboxEnvironment -and !($bcAuthContext.ClientSecret -or $bcAuthContext.ClientAssertion)) {
             # Sandbox and not S2S -> use dev endpoint (Publish-BcContainerApp)
             $parameters = @{
                 "bcAuthContext" = $bcAuthContext

diff --git a/Actions/DetermineDeliveryTargets/DetermineDeliveryTargets.ps1 b/Actions/DetermineDeliveryTargets/DetermineDeliveryTargets.ps1
@@ -8,7 +8,7 @@
 function IncludeBranch([string] $deliveryTarget) {
     $settingsName = "DeliverTo$deliveryTarget"
     if ($settings.Contains($settingsName) -and $settings."$settingsName".Contains('Branches')) {
-        Write-Host "- Branches defined: $($settings."$settingsName".Branches -join ', ') - "
+        Write-Host "- Branches defined: $($settings."$settingsName".Branches -join ', ')"
         return ($null -ne ($settings."$settingsName".Branches | Where-Object { $ENV:GITHUB_REF_NAME -like $_ }))
     }
     else {
@@ -18,7 +18,7 @@ function IncludeBranch([string] $deliveryTarget) {
 }
 
 function IncludeDeliveryTarget([string] $deliveryTarget) {
-    Write-Host "DeliveryTarget $_ - "
+    Write-Host "DeliveryTarget $_"
     # DeliveryTarget Context Secret needs to be specified for a delivery target to be included
     $contextName = "$($_)Context"
     $secrets = $env:Secrets | ConvertFrom-Json
@@ -38,7 +38,7 @@ if ($settings.type -eq "AppSource App") {
     ($projectsJson | ConvertFrom-Json) | ForEach-Object {
         $projectSettings = ReadSettings -project $_
         if ($projectSettings.deliverToAppSource.ContinuousDelivery -or ($projectSettings.Contains('AppSourceContinuousDelivery') -and $projectSettings.AppSourceContinuousDelivery)) {
-            Write-Host "Project $_ is setup for Continuous Delivery"
+            Write-Host "Project $_ is setup for Continuous Delivery to AppSource"
             $deliveryTargets += @("AppSource")
         }
     }

diff --git a/Actions/Packages.json b/Actions/Packages.json
@@ -1,3 +1,6 @@
 {
-    "sign": "0.9.1-beta.24123.2"
+    "sign": "0.9.1-beta.24123.2",
+    "Az.Accounts": "2.15.1",
+    "Az.Storage": "6.1.1",
+    "Az.KeyVault": "5.2.0"
 }
diff --git a/Actions/ReadSecrets/ReadSecrets.ps1 b/Actions/ReadSecrets/ReadSecrets.ps1
@@ -100,6 +100,17 @@ try {
                             MaskValue -key "$($secretName).$($keyName)" -value "$($json."$keyName")"
                         }
                     }
+                    if ($json.ContainsKey('clientID') -and !($json.ContainsKey('clientSecret') -or $json.ContainsKey('refreshToken'))) {
+                        try {
+                            Write-Host "Query federated token"
+                            $result = Invoke-RestMethod -Method GET -UseBasicParsing -Headers @{ "Authorization" = "bearer $ENV:ACTIONS_ID_TOKEN_REQUEST_TOKEN"; "Accept" = "application/vnd.github+json" } -Uri "$ENV:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
+                            $json += @{ "clientAssertion" = $result.value }
+                            $secretValue = $json | ConvertTo-Json -Compress
+                        }
+                        catch {
+                            throw "$SecretName doesn't contain any ClientSecret and AL-Go is unable to acquire an ID_TOKEN. Error was $($_.Exception.Message)"
+                        }
+                    }
                 }
                 $base64value = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($secretValue))
                 $outSecrets += @{ "$secretsProperty" = $base64value }