Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new AzureCLI authentication options for GenerateResourcesAndImage and Packer templates #10602

Open
wants to merge 27 commits into
base: main
Choose a base branch
from

Conversation

feliasson
Copy link

Description

This PR introduces new authentication options for the GenerateResourcesAndImage.ps1 helper script and the Packer templates for ubuntu and windows. By leveraging the use_azure_cli_auth optional value in Packer azure-arm builder (ref) this PR provides new ways to authenticate while building the runner-images.

  • A new switch called UseAzureCliAuth is introduced in the helper script.
    • Solely relies on the credentials that you set in AzureCLI using az login.
    • Skips the SPN-registration even if no client id is provided in AzureClientId parameter
    • Ignores all other authentication configurations if enabled (see parameter explanation)
    • It defaults to false in both the helper-script and packer-templates and does not break the approach of using SPN authentication

What advantages does using the new switch give?

  • No longer needed to have privileged Microsoft Entra roles such as Application Developer or Application Administrator to run script / build without AzureClientId and AzureClientSecret inputs.
    Directory permission is needed for the current user to register the application. For how to configure, please refer 
    'https://docs.microsoft.com/azure/azure-resource-manager/resource-group-create-service-principal-portal'. Original error: 
    Insufficient privileges to complete the operation.
    
  • No longer needed to preregister a Service Principal with Secret and input it for the AzureClientId and AzureClientSecret inputs.
  • Solves having to rotate SPN secrets
  • Can easily be used with AzureCLI@2 task for Azure Pipelines
  • Can easily be used with GitHub Action for Azure CLI

Azure Pipeline example using new UseAzureCliAuth switch

Service-connection is using Azure managed identity and federated credentials

steps:

  # Using Azure CLI credentials for Packer
  - task: AzureCLI@2
    displayName: Generate ${{ parameters.imageType }} Image
    inputs:
      azureSubscription: ${{ parameters.azureSubscription }}
      scriptType: pscore
      scriptLocation: inlineScript
      inlineScript: |
        git clone https://github.com/feliasson/runner-images.git # Temp add for my fork
        cd ./runner-images
        git checkout UseAzureCliAuth-1 # Temp add for my branch
        cd ./helpers
        Import-Module ./GenerateResourcesAndImage.ps1
        
        GenerateResourcesAndImage `
        -SubscriptionId ${{ parameters.subscriptionId }} `
        -ResourceGroupName temp-azcli-runner-image-rg `
        -ImageType ${{ parameters.imageType }} `
        -AzureLocation ${{ parameters.location }} `
        -ImageGenerationRepositoryRoot $(Build.SourcesDirectory)/runner-images `
        -ReuseResourceGroup `
        -UseAzureCliAuth `
        -Verbose

image

Azure Pipeline example using old SPN method

Service-connection is using Azure managed identity and federated credentials

  steps:

  # Using SPN credentials for Packer
  - task: AzureCLI@2
    displayName: Generate ${{ parameters.imageType }} Image
    inputs:
      azureSubscription: ${{ parameters.azureSubscription }}
      scriptType: pscore
      scriptLocation: inlineScript
      inlineScript: |
        git clone https://github.com/feliasson/runner-images.git # Temp add for my fork
        cd ./runner-images
        git checkout UseAzureCliAuth-1 # Temp add for my branch
        cd ./helpers
        Import-Module ./GenerateResourcesAndImage.ps1
        
        GenerateResourcesAndImage `
        -SubscriptionId ${{ parameters.subscriptionId }} `
        -ResourceGroupName temp-spn-runner-image-rg `
        -ImageType ${{ parameters.imageType }} `
        -AzureLocation ${{ parameters.location }} `
        -ImageGenerationRepositoryRoot $(Build.SourcesDirectory)/runner-images `
        -AzureClientId $(appId) `
        -AzureClientSecret $(appSecret) `
        -ReuseResourceGroup `
        -Verbose

image

Running locally using my az login credentials only

image

Related issue:

#10236 - I added the suggestion to let active az login be used if found

Check list

  • Related issue / work item is attached
  • Tests are written (if applicable)
  • Documentation is updated (if applicable) - I didn't see any other optional parameters documented
  • Changes are tested and related VM images are successfully generated

@feliasson feliasson marked this pull request as draft September 12, 2024 13:32
@feliasson
Copy link
Author

Fixed slight adjustment to suggestion in #10236 to properly handle the error if not logged in, it would not enter the catch block otherwise

@feliasson feliasson marked this pull request as ready for review September 12, 2024 13:54
Copy link

@kedar-1 kedar-1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested UseAzureCliAuth option based on the code above and works as expected.

@feliasson
Copy link
Author

@mikhailkoliada @shamil-mubarakshin
You guys made the latest commits to the GenerateResourcesAndImage.ps1 helper script. What do I need to do to get some traction on this PR? I have waited 3 weeks already.

@flannoo
Copy link

flannoo commented Oct 7, 2024

We are currently waiting for this as well, since we prefer to use OIDC authentication (federated) instead of client secrets in our devops pipelines. Would be great if this can be released short term.

Thanks!

Copy link

@invisiblepancake invisiblepancake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i got that azufe certific in an milestone oslt. check where its from =) its been an few days bender.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants