-
Notifications
You must be signed in to change notification settings - Fork 195
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: Move away from client-secret in favor of service connections #4341
Comments
Move away from a long lived client secret for auth during CI testing in favor of federated credentials via a service connection. (To unblock the builds I am seeing how far we can get with our old trick of delegating stuff to `az` before we teach `azd` how to use `AzurePipelinesCredential`.) Contributes To Azure#4341
This change teaches `azd` how to login using a service connection for an OIDC like experience when running in Azure Pipelines using service connections and then updates our pipelines to use this authentication strategy. Contributes To Azure#4341
This change teaches `azd` how to login using a service connection for an OIDC like experience when running in Azure Pipelines using service connections and then updates our pipelines to use this authentication strategy. Contributes To Azure#4341
This change teaches `azd` how to login using a service connection for an OIDC like experience when running in Azure Pipelines using service connections and then updates our pipelines to use this authentication strategy. Contributes To Azure#4341
This change teaches `azd` how to login using a service connection for an OIDC like experience when running in Azure Pipelines using service connections and then updates our pipelines to use this authentication strategy. Contributes To Azure#4341
For terraform, I thought that I could be clever and build a
Could be I screwed something up with the URL building however, so I need to dig in more. |
This change teaches `azd` how to login using a service connection for an OIDC like experience when running in Azure Pipelines using service connections and then updates our pipelines to use this authentication strategy. Contributes To Azure#4341
Move away from a long lived client secret for auth during CI testing in favor of federated credentials via a service connection. (To unblock the builds I am seeing how far we can get with our old trick of delegating stuff to `az` before we teach `azd` how to use `AzurePipelinesCredential`.) Contributes To #4341
This change teaches `azd` how to login using a service connection for an OIDC like experience when running in Azure Pipelines using service connections and then updates our pipelines to use this authentication strategy. Contributes To Azure#4341
This change teaches `azd` how to login using a service connection for an OIDC like experience when running in Azure Pipelines using service connections and then updates our pipelines to use this authentication strategy. Contributes To Azure#4341
Historically we used a client id and client secret pair to authenticate (for both
azd
itself and other tools it calls, liketerraform
) in CI. This worked, but the downside of it is that there was a long-lived secret (the client secret) that we had to protect and update.To mitigate this, our central engineering team is trying to adopt service connections for all our CI jobs. This means that we need to move away from our client-secret based authentication and towards something that uses service connections. For
azd
itself, it means teaching it how to use something likeAzurePipelinesCredential
and then updating our jobs to use it.I'm not sure what the exact answer is for terraform yet. For places we use
az
we already have an answer via theAzureCLI@2
task which works with service connections.Since our builds are presently on the floor due to an expired client secret (which we don't want to renew) we'll do this in two parts:
Move away from client-secret by delegating auth where we can to the
az
CLI via the (auth.useAzCliAuth
config flag we have) and disabling whatever tests we can't make work quickly with this. This gets our builds green again.Do the work to teach
azd
how to natively authenticate using a service connection (and figure out how to configure any other tools liketerraform
to work in this world) and re-enable any tests disabled as part of (1).The text was updated successfully, but these errors were encountered: