-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CLI: simplify Azure authentication #724
Comments
I think we should also make the "old" And when we add |
I think we should also add |
We discussed this a bit offline and for now decided to go with using While an issue exists with |
Does this mean we can still authenticate using a shared secret (holding the azure.client.secret) by placing them into the runner environment variables instead of using the now obsolete arguments? We recently noticed the obsolete warning and, upon looking into ManagedIdentityCredentials, it appears this requires us to define which repositories have access to it in Azure itself. Reference. We currently have a GitHub organization with workflows, an Azure devops environment and a legacy Gerrit/Jenkins setup. We heavily rely on platform-independent tooling and encrypted shared secrets across all three CI/CD platforms, as configuring security for each new repository individually is not feasible (there's a few thousand). We have reusable pipelines on all three platforms that include the sign tool prerelease among other tooling. Therefore, I am hoping we can continue using the different platform secret vaults with Azure application client secrets, and so on. I'll continue doing more research to see how to adapt, but wanted to already check-in here. |
We are using the
|
We have been using 0.9.1-beta.23356.1 which requires us to specify the following arguments
While testing a new certificate (kindly generated by @ChrisSfanos) I updated to 0.9.1-beta.24361.2 See #743 0.9.1-beta.24361.2 accepts the above arguments but gives us a warning message below "The client secret options are obsolete and should no longer be specified." Looking at the CLI options using "sign code azure-key-vault -?" shows there are two new arguments which I think are the replacements
Who can generate a managed identity for us? |
Hi Mike
This is me - missed getting to your other mail
Chris
…________________________________
From: Mike Williams ***@***.***>
Sent: Thursday, August 1, 2024 4:20:46 AM
To: dotnet/sign ***@***.***>
Cc: Mention ***@***.***>
Subject: Re: [dotnet/sign] CLI: simplify Azure authentication (Issue #724)
We have been using 0.9.1-beta.23356.1 which requires us to specify the following arguments
-kvt, --azure-key-vault-tenant-id <azure-key-vault-tenant-id> Tenant ID to authenticate to Azure Key Vault.
-kvi, --azure-key-vault-client-id <azure-key-vault-client-id> Client ID to authenticate to Azure Key Vault.
-kvs, --azure-key-vault-client-secret <azure-key-vault-client-secret> Client secret to authenticate to Azure Key Vault.
While testing a new certificate (kindly generated by @ChrisSfanos<https://github.com/ChrisSfanos>) I updated to 0.9.1-beta.24361.2 See #743<#743>
0.9.1-beta.24361.2 accepts the above arguments but gives us a warning message below
"The client secret options are obsolete and should no longer be specified."
Looking at the CLI options using "sign code azure-key-vault -?" shows there are two new arguments which I think are the replacements
-mici, --managed-identity-client-id <managed-identity-client-id> The client id of a user assigned ManagedIdentity.
-miri, --managed-identity-resource-id <managed-identity-resource-id> The resource id of a user assigned ManagedIdentity.
Who can generate a managed identity for us?
Or do we set the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID & AZURE_CLIENT_SECRET mentioned above
—
Reply to this email directly, view it on GitHub<#724 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAKF5JYRFNYF3AWXEL33I2DZPIKY7BFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVI2DOMRWGM2DSNJTG6SG4YLNMWUWQYLTL5WGCYTFNSWHG5LCNJSWG5C7OR4XAZNMJFZXG5LFINXW23LFNZ2KM5DPOBUWG44TQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKBWG44TAOBQGE3IFJDUPFYGLJLJONZXKZNFOZQWY5LFVIZDGNRVGMYTSMBRGOBKI5DZOBS2K3DBMJSWZJLWMFWHKZNKGQ3TENRTGQ4TKMZXU52HE2LHM5SXFJTDOJSWC5DF>.
You are receiving this email because you were mentioned.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
This thread generated some ideas on how we can improve the CLI user experience for Azure authentication, which is currently used by Azure Key Vault signing. In the near future, it will also be used by Trusted Signing signing.
Background
Sign CLI's Azure Key Vault signing exposes 4 authentication-specific options. The original intent was to support 2 authentication strategies:
Problem statement
Managed identity support is provided through Azure SDK for .NET's
DefaultAzureCredential
class. This class actually supports 10 authentication strategies, which are tried in a fixed order until one succeeds. In most cases, this may work like magic. However, there are several problems with this solution.--azure-key-vault-managed-identity
doesn't actually guarantee we'll use the managed identity authentication strategy. Authentication can fail becauseDefaultAzureCredential
succeeded in obtaining a token with an earlier (unwanted) authentication strategy. This really happens.--azure-key-vault-managed-identity
option, set a bunch ofExcludeXXXCredential
options for all the options before Azure CLI authentication strategy, but that's a hacky, terrible user experience.Proposed solution
First, deprecate the 4 authentication-specific options. Continue to honor the options but output a warning that users should migrate to the new solution, which is one of the following options:
DefaultAzureCredential
behavior.-act
,--azure-credential-type
) and specify the specific authentication strategy you want.At some time in the future, remove the 4 authentication-specific options. By default, Azure Key Vault signing will require no Azure authentication options. It will support all authentication strategies provided by
DefaultAzureCredential
in the order that class provides.For users who want to use a specific authentication strategy, a new option (
-act
,--azure-credential-type
) will enable that. Note that this list of accepted values represents only a subset of strategies provided byDefaultAzureCredential
on the principal that we'd add others when needed.environment
managed-identity
CC @clairernovotny, @joelverhagen, @dlemstra
The text was updated successfully, but these errors were encountered: