Is it possible to use artifacts-keyring with a Service Principal?

[NathanielMcVicar]

I'm trying to publish wheels to a DevOps Artifact feed from a GitHub action with twine. I have a Service Principal with access, based on the steps in https://github.com/MicrosoftDocs/azure-devops-docs/issues/8141#issuecomment-1548825563, but in the past we've always used PATs with artifacts-keyring (typically through VSS_NUGET_EXTERNAL_FEED_ENDPOINTS). You can't create a PAT for a Service Principal, so I'm trying to determine if there is any alternative available. Thanks!

[John-Donalson]

in trying this too. i also use vss extensions endpoints. so far that thread doesnt work on my end even with the SP setup, azure artifacts does not even accept the command.

so at this point we are still using a PAT

[jmyersmsft]

We don't have specific support for SP/MI in artifacts-keyring (or artifacts-credprovider which it uses behind the scenes) at this time, but if you can get an AAD access token (e.g. from az account get-access-token), that should work as the password with an arbitrary username, in the same way a PAT would

[John-Donalson]

We don't have specific support for SP/MI in artifacts-keyring (or artifacts-credprovider which it uses behind the scenes) at this time, but if you can get an AAD access token (e.g. from az account get-access-token), that should work as the password with an arbitrary username, in the same way a PAT would

so theoretically something like this?
- name: Azure Login
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}

- name: Get AAD Access Token
  id: get_aad_token
  run: |
    echo "::set-output name=token::$(az account get-access-token --query accessToken -o tsv)"

- name: Setup .NET
  uses: actions/setup-dotnet@v1
  with:
    dotnet-version: 3.1

- name: Config NuGet to use Azure Artifacts
  env:
    TOKEN: ${{ steps.get_aad_token.outputs.token }}
  run: |
    dotnet nuget add source https://pkgs.dev.azure.com/<YourOrganization>/<YourProject>/_packaging/<YourFeed>/nuget/v3/index.json -n azure -u azuresdk -p $TOKEN --store-password-in-clear-text

- name: Restore dependencies
  run: dotnet restore

[jmyersmsft]

I'm not really familiar with GH Actions, but that looks like it should work. You might consider setting up the environment variables to use with artifacts-credprovider rather than using dotnet nuget add source. Doing so would avoid persisting the token on disk, and some systems log command lines.

[NathanielMcVicar]

This worked great, I really appreciate the advice! However, I wonder is there any plan to set up some way to use OIDC or SPs directly with artifacts-credprovider, so we don't have to generate an intermediate bearer token? This seems like it would be a great feature, but I don't know how feasible it would be.

[John-Donalson]

This would be great and seeing as github is part of microsoft it would be extremely helpful and secure; so We just have to let them know how desired this is… imo it would be a great feature for those who do not want to migrate legacy artifact feeds…

[Laleee]

Hello @jmyersmsft,

Do you have any plans of supporting the SPA?

We want to run deployments from our on premise machines and this is causing a lot more issues than we could imagine.

[embetten]

As @jmyersmsft mentioned, the keyring runs the artifacts-credprovider behind the scenes. There is an issue on that repo tracking this enhancement here.

[novablinkicelance]

All right. I suffered enough through this that I thought to post my solution here in case anybody in the future struggles like I did. For context, I'm using Azure ML Pipelines and authenticating to Azure DevOps using a managed identity. The assumption is that you can authenticate with the managed identity using the az login --identity --username $DEFAULT_IDENTITY_CLIENT_ID command. Here's how you can get a package using pip (adding previous steps in case you need them):

echo "Creating and activating Python virtual environment"
# This is not required but a good practice
python -m venv my-env
source my-env/bin/activate
# You can use Azure CLI
echo "Installing Azure CLI"
curl -sL https://aka.ms/InstallAzureCLIDeb | bash
echo "Logging in to Azure CLI"
az login --identity --username $DEFAULT_IDENTITY_CLIENT_ID
echo "Getting token"
TOKEN=$(az account get-access-token --query accessToken -o tsv)
echo "Install packages"
pip install <package> --index-url "https://$TOKEN@<Organization>.pkgs.visualstudio.com/<Project>/_packaging/<Feed>/pypi/simple/"

This is how you can install Python packages from Azure Artifacts until artifacts-keyring supports non-interactive authentication with managed identities. Your managed identity will need Reader permissions on Azure DevOps.

Thanks @John-Donalson! Your solution helped me get mine.

[jmyersmsft]

Thanks for sharing that, @novablinkicelance! I would make two minor suggestions:

• Add a username (exact value doesn't matter) to the URL so that the token is the password. Systems are more likely to log usernames from Basic auth than passwords and as written, the token is the username. E.g.: https://token:$TOKEN@<org>.pkgs.... To be clear, Azure Artifacts does not log the username, but software or devices on your machine or network theoretically might.
• Use the PIP_INDEX_URL environment variable instead of the --index-url command line parameter. Some systems log process command lines.

[embetten]

0.4.0 now natively supports MI / SP set up instructions can be found on the microsoft/artifacts-credprovider#492. Please let me know if you have and feedback or find any issues!