-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CLI: simplify Azure authentication #724
Comments
I think we should also make the "old" And when we add |
I think we should also add |
We discussed this a bit offline and for now decided to go with using While an issue exists with |
Does this mean we can still authenticate using a shared secret (holding the azure.client.secret) by placing them into the runner environment variables instead of using the now obsolete arguments? We recently noticed the obsolete warning and, upon looking into ManagedIdentityCredentials, it appears this requires us to define which repositories have access to it in Azure itself. Reference. We currently have a GitHub organization with workflows, an Azure devops environment and a legacy Gerrit/Jenkins setup. We heavily rely on platform-independent tooling and encrypted shared secrets across all three CI/CD platforms, as configuring security for each new repository individually is not feasible (there's a few thousand). We have reusable pipelines on all three platforms that include the sign tool prerelease among other tooling. Therefore, I am hoping we can continue using the different platform secret vaults with Azure application client secrets, and so on. I'll continue doing more research to see how to adapt, but wanted to already check-in here. |
We are using the
|
This thread generated some ideas on how we can improve the CLI user experience for Azure authentication, which is currently used by Azure Key Vault signing. In the near future, it will also be used by Trusted Signing signing.
Background
Sign CLI's Azure Key Vault signing exposes 4 authentication-specific options. The original intent was to support 2 authentication strategies:
Problem statement
Managed identity support is provided through Azure SDK for .NET's
DefaultAzureCredential
class. This class actually supports 10 authentication strategies, which are tried in a fixed order until one succeeds. In most cases, this may work like magic. However, there are several problems with this solution.--azure-key-vault-managed-identity
doesn't actually guarantee we'll use the managed identity authentication strategy. Authentication can fail becauseDefaultAzureCredential
succeeded in obtaining a token with an earlier (unwanted) authentication strategy. This really happens.--azure-key-vault-managed-identity
option, set a bunch ofExcludeXXXCredential
options for all the options before Azure CLI authentication strategy, but that's a hacky, terrible user experience.Proposed solution
First, deprecate the 4 authentication-specific options. Continue to honor the options but output a warning that users should migrate to the new solution, which is one of the following options:
DefaultAzureCredential
behavior.-act
,--azure-credential-type
) and specify the specific authentication strategy you want.At some time in the future, remove the 4 authentication-specific options. By default, Azure Key Vault signing will require no Azure authentication options. It will support all authentication strategies provided by
DefaultAzureCredential
in the order that class provides.For users who want to use a specific authentication strategy, a new option (
-act
,--azure-credential-type
) will enable that. Note that this list of accepted values represents only a subset of strategies provided byDefaultAzureCredential
on the principal that we'd add others when needed.environment
managed-identity
CC @clairernovotny, @joelverhagen, @dlemstra
The text was updated successfully, but these errors were encountered: