diff --git a/README.md b/README.md index b50cda692..80adc3504 100644 --- a/README.md +++ b/README.md @@ -207,11 +207,13 @@ Follow the steps to configure Azure Service Principal with a secret: # The command should output a JSON object similar to this: + { "clientId": "", - "clientSecret": "", + "clientSecret": "", "subscriptionId": "", "tenantId": "", + "resourceManagerEndpointUrl": "" (...) } @@ -219,6 +221,10 @@ Follow the steps to configure Azure Service Principal with a secret: * Now in the workflow file in your branch: `.github/workflows/workflow.yml` replace the secret in Azure login action with your secret (Refer to the example above) * Note: The above `az ad sp create-for-rbac` command will give you the `--sdk-auth` deprecation warning. As we are working with CLI for this deprecation process, we strongly recommend users to use this `--sdk-auth` flag as the result dictionary output changes and not accepted by login action if `--sdk-auth` is not used. +### Manually creating the Credentials object + +If you already created and assigned a Service Principal in Azure you can manually create the .json object above by finding the `clientId` and `clientSecret` on the Service Principal, and your `subscriptionId` and `tenantId` of the subscription and tenant respectively. The `resourceManagerEndpointUrl` will be `https://management.azure.com/` if you are using the public Azure cloud. + ### Configure a service principal with a Federated Credential to use OIDC based authentication: @@ -234,7 +240,7 @@ You can add federated credentials in the Azure portal or with the Microsoft Grap 7. For **Entity type**, select **Environment**, **Branch**, **Pull request**, or **Tag** and specify the value, based on how you have configured the trigger for your GitHub workflow. For a more detailed overview, see [GitHub OIDC guidance]( https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#defining-[…]dc-claims). 8. Add a **Name** for the federated credential. 9. Click **Add** to configure the federated credential. -10. Make sure the above created application has the `contributor` access to the provided subscription. +10. Make sure the above created application has the `contributor` access to the provided subscription. Visit [role-based-access-control](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current#prerequisites) for more details. For a more detailed overview, see more guidance around [Azure Federated Credentials](https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation-create-trust-github). diff --git a/lib/main.js b/lib/main.js index 42ab22d5b..c2ed27af9 100644 --- a/lib/main.js +++ b/lib/main.js @@ -40,22 +40,20 @@ function main() { return __awaiter(this, void 0, void 0, function* () { try { //Options for error handling - let commandStdErr = false; const loginOptions = { silent: true, - ignoreReturnCode: true, - failOnStdErr: true, listeners: { stderr: (data) => { let error = data.toString(); - //removing the keyword 'ERROR' to avoid duplicates while throwing error - if (error.toLowerCase().startsWith('error')) { - error = error.slice(5); - } - // printing error - if (error && error.trim().length !== 0) { - commandStdErr = true; - core.error(error); + let startsWithWarning = error.toLowerCase().startsWith('warning'); + let startsWithError = error.toLowerCase().startsWith('error'); + // printing ERROR + if (error && error.trim().length !== 0 && !startsWithWarning) { + if (startsWithError) { + //removing the keyword 'ERROR' to avoid duplicates while throwing error + error = error.slice(5); + } + core.setFailed(error); } } } @@ -190,6 +188,7 @@ function main() { commonArgs = commonArgs.concat("--federated-token", federatedToken); } else { + console.log("Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details."); commonArgs = commonArgs.concat("-p", servicePrincipalKey); } yield executeAzCliCommand(`login`, true, loginOptions, commonArgs); diff --git a/src/main.ts b/src/main.ts index 616b3ddc1..49473977c 100644 --- a/src/main.ts +++ b/src/main.ts @@ -12,22 +12,20 @@ var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREP async function main() { try { //Options for error handling - let commandStdErr = false; const loginOptions: ExecOptions = { silent: true, - ignoreReturnCode: true, - failOnStdErr: true, listeners: { stderr: (data: Buffer) => { let error = data.toString(); - //removing the keyword 'ERROR' to avoid duplicates while throwing error - if (error.toLowerCase().startsWith('error')) { - error = error.slice(5); - } - // printing error - if (error && error.trim().length !== 0) { - commandStdErr = true; - core.error(error); + let startsWithWarning = error.toLowerCase().startsWith('warning'); + let startsWithError = error.toLowerCase().startsWith('error'); + // printing ERROR + if (error && error.trim().length !== 0 && !startsWithWarning) { + if(startsWithError) { + //removing the keyword 'ERROR' to avoid duplicates while throwing error + error = error.slice(5); + } + core.setFailed(error); } } } @@ -174,6 +172,7 @@ async function main() { commonArgs = commonArgs.concat("--federated-token", federatedToken); } else { + console.log("Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.") commonArgs = commonArgs.concat("-p", servicePrincipalKey); } await executeAzCliCommand(`login`, true, loginOptions, commonArgs);