Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Optimization engine] Improve Storage Account access and interactive scripts security #991

Merged
merged 5 commits into from
Sep 26, 2024
Merged

[Optimization engine] Improve Storage Account access and interactive scripts security #991

merged 5 commits into from
Sep 26, 2024

Conversation

helderpinto
Copy link
Member

🛠️ Description

Align AOE with security best practices, by:

  1. Avoiding the usage of Storage Account keys to access blob data by Automation runbooks. The Automation managed identity is now granted the Storage Blob Data Contributor role and all runbooks authenticate using Microsoft Entra ID credentials.
  2. Using the AsSecureString parameter in the Get-AzAccessToken calls in the interactive scripts (over which we have less PS modules version control).

Fixes #975

📋 Checklist

🔬 How did you test this change?

  • 🤏 Lint tests
  • 🤞 PS -WhatIf / az validate
  • 👍 Manually deployed + verified
  • 💪 Unit tests
  • 🙌 Integration tests

🙋‍♀️ Do any of the following that apply?

  • 🚨 This is a breaking change.
  • 🤏 The change is less than 20 lines of code.

📑 Did you update docs/changelog.md?

  • ✅ Updated changelog (required for dev PRs)
  • ➡️ Will add log in a future PR (feature branch PRs only)
  • ❎ Log not needed (small/internal change)

📖 Did you update documentation?

  • ✅ Public docs in docs (required for dev)
  • ✅ Internal dev docs in src (required for dev)
  • ➡️ Will add docs in a future PR (feature branch PRs only)
  • ❎ Docs not needed (small/internal change)

@helderpinto helderpinto added the Tool: Optimization Engine Azure Optimization Engine label Sep 17, 2024
@helderpinto helderpinto requested a review from a team September 17, 2024 21:44
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Review 👀 PR that is ready to be reviewed label Sep 17, 2024
@flanakin flanakin added this to the 2024-09 – September milestone Sep 25, 2024
@flanakin flanakin added Status: ▶️ Ready Issue is ready for a dev to start work and removed Needs: Review 👀 PR that is ready to be reviewed labels Sep 26, 2024
@helderpinto helderpinto merged commit 5274e9a into microsoft:dev Sep 26, 2024
1 check passed
@helderpinto helderpinto deleted the helderpinto/dev/storagerbac branch September 26, 2024 08:07
@KashifSaadat KashifSaadat mentioned this pull request Sep 27, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arthurclares arthurclares Awaiting requested review from arthurclares

@flanakin flanakin Awaiting requested review from flanakin

Assignees

@flanakin flanakin

@arthurclares arthurclares

Labels
Status: ▶️ Ready Issue is ready for a dev to start work Tool: Optimization Engine Azure Optimization Engine
Projects
None yet
Milestone
2024-09 – September
Development

Successfully merging this pull request may close these issues.

[Optimization engine] Use Microsoft Entra ID authentication when accessing the Storage Account
3 participants
@helderpinto @flanakin @arthurclares