-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is it possible to use artifacts-keyring with a Service Principal? #60
Comments
in trying this too. i also use vss extensions endpoints. so far that thread doesnt work on my end even with the SP setup, azure artifacts does not even accept the command. so at this point we are still using a PAT |
We don't have specific support for SP/MI in artifacts-keyring (or artifacts-credprovider which it uses behind the scenes) at this time, but if you can get an AAD access token (e.g. from |
so theoretically something like this?
|
I'm not really familiar with GH Actions, but that looks like it should work. You might consider setting up the environment variables to use with artifacts-credprovider rather than using |
This worked great, I really appreciate the advice! However, I wonder is there any plan to set up some way to use OIDC or SPs directly with artifacts-credprovider, so we don't have to generate an intermediate bearer token? This seems like it would be a great feature, but I don't know how feasible it would be. |
This would be great and seeing as github is part of microsoft it would be extremely helpful and secure; so We just have to let them know how desired this is… imo it would be a great feature for those who do not want to migrate legacy artifact feeds… |
Hello @jmyersmsft, Do you have any plans of supporting the SPA? We want to run deployments from our on premise machines and this is causing a lot more issues than we could imagine. |
As @jmyersmsft mentioned, the keyring runs the artifacts-credprovider behind the scenes. There is an issue on that repo tracking this enhancement here. |
All right. I suffered enough through this that I thought to post my solution here in case anybody in the future struggles like I did. For context, I'm using Azure ML Pipelines and authenticating to Azure DevOps using a managed identity. The assumption is that you can authenticate with the managed identity using the
This is how you can install Python packages from Azure Artifacts until artifacts-keyring supports non-interactive authentication with managed identities. Your managed identity will need Reader permissions on Azure DevOps. Thanks @John-Donalson! Your solution helped me get mine. |
Thanks for sharing that, @novablinkicelance! I would make two minor suggestions:
|
0.4.0 now natively supports MI / SP set up instructions can be found on the microsoft/artifacts-credprovider#492. Please let me know if you have and feedback or find any issues! |
I'm trying to publish wheels to a DevOps Artifact feed from a GitHub action with
twine
. I have a Service Principal with access, based on the steps in https://github.com/MicrosoftDocs/azure-devops-docs/issues/8141#issuecomment-1548825563, but in the past we've always used PATs with artifacts-keyring (typically throughVSS_NUGET_EXTERNAL_FEED_ENDPOINTS
). You can't create a PAT for a Service Principal, so I'm trying to determine if there is any alternative available. Thanks!The text was updated successfully, but these errors were encountered: