Skip to content

Commit

Permalink
auth: Support azure-pipelines for --federated-credential-provider (
Browse files Browse the repository at this point in the history
…#4343)

This change adds `azure-pipelines` as a supported value for the
`--federated-credential-provider` switch of `azd auth login`. This
provider can be used to do OIDC based login within the context of a
job running in Azure Pipelines.

When using this provider, `azd` uses the `AzurePipelinesCredential`
type to manage the OIDC dance. In addition to the client and tenant id
of the service principal you plan to authenticate with, we also need
the "service connection id" (this is the ID of the object created in
Azure Pipelines that contains the connection information) and the
system access token which is the security token for the running build
(it's what is used to authenticate to the OIDC endpoint that is being
run inside the pipeline which we use to fetch the federated
credential).  The client and tenant ids can be provided on the command
line, via the existing `--client-id` and `--tenant-id` switches, or,
when `azure-pipelines` is the `federated-credential-provider`, they
can be read from the `AZURESUBSCRIPTION_CLIENT_ID` and
`AZURESUBSCRIPTION_TEANT_ID` system environment varaibles.  The
service connection ID and acceess token are read from the
`AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` and `SYSTEM_ACCESSTOKEN`
environment variaibles.

These system environment variables correspond to what the `AzureCLI@2`
sets when passing the `azureSubscription` parameter (after translating
the service connection name to a service connection ID, which is
handy) allowing something like this to work:

```yaml
- task: AzureCLI@2
  inputs:
    azureSubscription: azconnection
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: |
      azd auth login --federated-credential-provider "azure-pipelines"
      azd up
```

Note that while the AzureCLI task is used above, it's only used for
setting these environment variables and doing the service connection
name to id translation.  You could do something like the following
instead:

```yaml
- bash: |
    azd auth login --federated-credential-provider "azure-pipelines"
    azd up
  env:
    AZURE_SUBSCRIPTION_CLIENT_ID: "Your Client ID"
    AZURE_SUBSCRIPTION_TENANT_ID: "Your Tenant ID"
    AZURE_SUBSCRIPTION_SERVICE_CONNECTION_ID: "Your Service Connection ID"
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)
```

And things will work as well. This can be useful in cases where you
can use the `AzureCLI@2` task directly.

We can consider writing our own task as some point as well.

Contributes To #4341
  • Loading branch information
ellismg authored Nov 6, 2024
1 parent e87f4b5 commit a1ee872
Show file tree
Hide file tree
Showing 6 changed files with 187 additions and 51 deletions.
2 changes: 2 additions & 0 deletions cli/azd/.vscode/cspell-azd-dictionary.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
AADSTS
ABRT
ACCESSTOKEN
aiomysql
aiopg
alphafeatures
Expand Down Expand Up @@ -50,6 +51,7 @@ AZURECLI
azureedge
azureml
azurestaticapps
AZURESUBSCRIPTION
azuretools
azureutil
azureyaml
Expand Down
50 changes: 47 additions & 3 deletions cli/azd/cmd/auth_login.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,25 @@ import (
// The parent of the login command.
const loginCmdParentAnnotation = "loginCmdParent"

// azurePipelinesClientIDEnvVarName is the name of the environment variable that contains the client ID for the principal
// to use when authenticating with Azure Pipelines via OIDC. It is set by both the AzureCLI@2 and AzurePowerShell@5 tasks
// when using a service connection or can be set manually when not using these tasks.
const azurePipelinesClientIDEnvVarName = "AZURESUBSCRIPTION_CLIENT_ID"

// azurePipelinesTenantIDEnvVarName is the name of the environment variable that contains the tenant ID for the principal
// to use when authenticating with Azure Pipelines via OIDC. It is set by both the AzureCLI@2 and AzurePowerShell@5 tasks
// when using a service connection or can be set manually when not using these tasks.
const azurePipelinesTenantIDEnvVarName = "AZURESUBSCRIPTION_TENANT_ID"

// AzurePipelinesServiceConnectionNameEnvVarName is the name of the environment variable that contains the name of the
// service connection to use when authenticating with Azure Pipelines via OIDC. It is set by both the AzureCLI@2 and
// AzurePowerShell@5 tasks when using a service connection or can be set manually when not using these tasks.
const azurePipelinesServiceConnectionIDEnvVarName = "AZURESUBSCRIPTION_SERVICE_CONNECTION_ID"

// azurePipelinesProvider is the name of the federated token provider to use when authenticating with Azure Pipelines via
// OIDC.
const azurePipelinesProvider string = "azure-pipelines"

type authLoginFlags struct {
loginFlags
}
Expand Down Expand Up @@ -389,6 +408,18 @@ func runningOnCodespacesBrowser(ctx context.Context, commandRunner exec.CommandR
}

func (la *loginAction) login(ctx context.Context) error {
if la.flags.federatedTokenProvider == azurePipelinesProvider {
if la.flags.clientID == "" {
log.Printf("setting client id from environment variable %s", azurePipelinesClientIDEnvVarName)
la.flags.clientID = os.Getenv(azurePipelinesClientIDEnvVarName)
}

if la.flags.tenantID == "" {
log.Printf("setting tenant id from environment variable %s", azurePipelinesClientIDEnvVarName)
la.flags.tenantID = os.Getenv(azurePipelinesTenantIDEnvVarName)
}
}

if la.flags.managedIdentity {
if _, err := la.authManager.LoginWithManagedIdentity(
ctx, la.flags.clientID,
Expand Down Expand Up @@ -451,9 +482,22 @@ func (la *loginAction) login(ctx context.Context) error {
); err != nil {
return fmt.Errorf("logging in: %w", err)
}
case la.flags.federatedTokenProvider != "":
if _, err := la.authManager.LoginWithServicePrincipalFederatedTokenProvider(
ctx, la.flags.tenantID, la.flags.clientID, la.flags.federatedTokenProvider,
case la.flags.federatedTokenProvider == "github":
if _, err := la.authManager.LoginWithGitHubFederatedTokenProvider(
ctx, la.flags.tenantID, la.flags.clientID,
); err != nil {
return fmt.Errorf("logging in: %w", err)
}
case la.flags.federatedTokenProvider == azurePipelinesProvider:
serviceConnectionID := os.Getenv(azurePipelinesServiceConnectionIDEnvVarName)

if serviceConnectionID == "" {
return fmt.Errorf("must set %s for azure-pipelines federated token provider",
azurePipelinesServiceConnectionIDEnvVarName)
}

if _, err := la.authManager.LoginWithAzurePipelinesFederatedTokenProvider(
ctx, la.flags.tenantID, la.flags.clientID, serviceConnectionID,
); err != nil {
return fmt.Errorf("logging in: %w", err)
}
Expand Down
150 changes: 113 additions & 37 deletions cli/azd/pkg/auth/manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,16 @@ const useAzCliAuthKey = "auth.useAzCliAuth"
// auth related configuration information (e.g. the home account id of the current user). This information is not secret.
const authConfigFileName = "auth.json"

// azurePipelinesSystemAccessTokenEnvVarName is the name of the environment variable that contains the system access token
// used to auth against the ODIC endpoint for Azure Pipelines. It needs to be set by the task that runs the azd command by
// adding `SYSTEM_ACCESSTOKEN: $(System.AccessToken)` to the `env` section of the task configuration.
const azurePipelinesSystemAccessTokenEnvVarName = "SYSTEM_ACCESSTOKEN"

// errNoSystemAccessTokenEnvVar is returned when the System.AccessToken environment variable is not set.
var errNoSystemAccessTokenEnvVar = fmt.Errorf(
"system access token not found, ensure the System.AccessToken value is mapped to an environment variable named %s",
azurePipelinesSystemAccessTokenEnvVarName)

// HttpClient interface as required by MSAL library.
type HttpClient interface {
// Do sends an HTTP request and returns an HTTP response.
Expand Down Expand Up @@ -312,11 +322,6 @@ func (m *Manager) CredentialForCurrentUser(
}
return m.newCredentialFromManagedIdentity(clientID)
} else if currentUser.TenantID != nil && currentUser.ClientID != nil {
ps, err := m.loadSecret(*currentUser.TenantID, *currentUser.ClientID)
if err != nil {
return nil, fmt.Errorf("loading secret: %w: %w", err, ErrNoCurrentUser)
}

// by default we used the stored tenant (i.e. the one provided with the tenant id parameter when a user ran
// `azd auth login`), but we allow an override using the options bag, when
// TenantID is non-empty and PreferFallbackTenant is not true.
Expand All @@ -326,13 +331,18 @@ func (m *Manager) CredentialForCurrentUser(
tenantID = options.TenantID
}

ps, err := m.loadSecret(*currentUser.TenantID, *currentUser.ClientID)
if err != nil {
return nil, fmt.Errorf("loading secret: %w: %w", err, ErrNoCurrentUser)
}

if ps.ClientSecret != nil {
return m.newCredentialFromClientSecret(tenantID, *currentUser.ClientID, *ps.ClientSecret)
} else if ps.ClientCertificate != nil {
return m.newCredentialFromClientCertificate(tenantID, *currentUser.ClientID, *ps.ClientCertificate)
} else if ps.FederatedAuth != nil && ps.FederatedAuth.TokenProvider != nil {
return m.newCredentialFromFederatedTokenProvider(
tenantID, *currentUser.ClientID, *ps.FederatedAuth.TokenProvider)
tenantID, *currentUser.ClientID, *ps.FederatedAuth.TokenProvider, ps.FederatedAuth.ServiceConnectionID)
}
}

Expand Down Expand Up @@ -518,35 +528,62 @@ func (m *Manager) newCredentialFromFederatedTokenProvider(
tenantID string,
clientID string,
provider federatedTokenProvider,
serviceConnectionID *string,
) (azcore.TokenCredential, error) {
if provider != gitHubFederatedAuth {
return nil, fmt.Errorf("unsupported federated token provider: '%s'", string(provider))
}
options := &azidentity.ClientAssertionCredentialOptions{
ClientOptions: azcore.ClientOptions{
Transport: m.httpClient,
// TODO: Inject client options instead? this can be done if we're OK
// using the default user agent string.
Cloud: m.cloud.Configuration,
},
}
cred, err := azidentity.NewClientAssertionCredential(
tenantID,
clientID,
func(ctx context.Context) (string, error) {
federatedToken, err := m.ghClient.TokenForAudience(ctx, "api://AzureADTokenExchange")
if err != nil {
return "", fmt.Errorf("fetching federated token: %w", err)
}
clientOptions := azcore.ClientOptions{
Transport: m.httpClient,
// TODO: Inject client options instead? this can be done if we're OK
// using the default user agent string.
Cloud: m.cloud.Configuration,
}

switch provider {
case gitHubFederatedTokenProvider:
cred, err := azidentity.NewClientAssertionCredential(
tenantID,
clientID,
func(ctx context.Context) (string, error) {
federatedToken, err := m.ghClient.TokenForAudience(ctx, "api://AzureADTokenExchange")
if err != nil {
return "", fmt.Errorf("fetching federated token: %w", err)
}

return federatedToken, nil
},
options)
if err != nil {
return nil, fmt.Errorf("creating credential: %w", err)
}
return federatedToken, nil
},
&azidentity.ClientAssertionCredentialOptions{
ClientOptions: clientOptions,
})
if err != nil {
return nil, fmt.Errorf("creating credential: %w", err)
}

return cred, nil
return cred, nil

case azurePipelinesFederatedTokenProvider:
systemAccessToken := os.Getenv(azurePipelinesSystemAccessTokenEnvVarName)
if systemAccessToken == "" {
return nil, errNoSystemAccessTokenEnvVar
}

// Guard against the case where the service connection ID is not set because someone manually edited the json
// files managed by `azd auth login`.
if serviceConnectionID == nil {
return nil, errors.New("service connection ID not found, please run `azd auth login` to authenticate")
}

cred, err := azidentity.NewAzurePipelinesCredential(
tenantID, clientID, *serviceConnectionID, systemAccessToken, &azidentity.AzurePipelinesCredentialOptions{
ClientOptions: clientOptions,
},
)
if err != nil {
return nil, fmt.Errorf("creating credential: %w: %w", err, ErrNoCurrentUser)
}

return cred, nil
default:
return nil, fmt.Errorf("unsupported federated token provider: '%s'", string(provider))
}
}

func (m *Manager) newCredentialFromCloudShell() (azcore.TokenCredential, error) {
Expand Down Expand Up @@ -755,10 +792,10 @@ func (m *Manager) LoginWithServicePrincipalCertificate(
return cred, nil
}

func (m *Manager) LoginWithServicePrincipalFederatedTokenProvider(
ctx context.Context, tenantId, clientId, provider string,
func (m *Manager) LoginWithGitHubFederatedTokenProvider(
ctx context.Context, tenantId, clientId string,
) (azcore.TokenCredential, error) {
cred, err := m.newCredentialFromFederatedTokenProvider(tenantId, clientId, federatedTokenProvider(provider))
cred, err := m.newCredentialFromFederatedTokenProvider(tenantId, clientId, gitHubFederatedTokenProvider, nil)
if err != nil {
return nil, err
}
Expand All @@ -768,7 +805,7 @@ func (m *Manager) LoginWithServicePrincipalFederatedTokenProvider(
clientId,
&persistedSecret{
FederatedAuth: &federatedAuth{
TokenProvider: &gitHubFederatedAuth,
TokenProvider: &gitHubFederatedTokenProvider,
},
},
); err != nil {
Expand All @@ -778,6 +815,41 @@ func (m *Manager) LoginWithServicePrincipalFederatedTokenProvider(
return cred, nil
}

func (m *Manager) LoginWithAzurePipelinesFederatedTokenProvider(
ctx context.Context, tenantID string, clientID string, serviceConnectionID string,
) (azcore.TokenCredential, error) {
systemAccessToken := os.Getenv(azurePipelinesSystemAccessTokenEnvVarName)

if systemAccessToken == "" {
return nil, errNoSystemAccessTokenEnvVar
}

options := &azidentity.AzurePipelinesCredentialOptions{
ClientOptions: azcore.ClientOptions{
Transport: m.httpClient,
// TODO: Inject client options instead? this can be done if we're OK
// using the default user agent string.
Cloud: m.cloud.Configuration,
},
}

cred, err := azidentity.NewAzurePipelinesCredential(tenantID, clientID, serviceConnectionID, systemAccessToken, options)
if err != nil {
return nil, fmt.Errorf("creating credential: %w", err)
}

if err := m.saveLoginForServicePrincipal(tenantID, clientID, &persistedSecret{
FederatedAuth: &federatedAuth{
TokenProvider: &azurePipelinesFederatedTokenProvider,
ServiceConnectionID: &serviceConnectionID,
},
}); err != nil {
return nil, err
}

return cred, nil
}

// Logout signs out the current user and removes any cached authentication information
func (m *Manager) Logout(ctx context.Context) error {
act, err := m.getSignedInAccount(ctx)
Expand Down Expand Up @@ -1017,7 +1089,8 @@ type persistedSecret struct {

// federated auth token providers
var (
gitHubFederatedAuth federatedTokenProvider = "github"
gitHubFederatedTokenProvider federatedTokenProvider = "github"
azurePipelinesFederatedTokenProvider federatedTokenProvider = "azure-pipelines"
)

// token provider for federated auth
Expand All @@ -1027,6 +1100,9 @@ type federatedTokenProvider string
type federatedAuth struct {
// The auth token provider. Tokens are obtained by calling the provider as needed.
TokenProvider *federatedTokenProvider `json:"tokenProvider,omitempty"`
// The ID of the service connection to use for Azure Pipelines federated auth. This is only set when the TokenProvider
// is "azure-pipelines".
ServiceConnectionID *string `json:"serviceConnectionId,omitempty"`
}

// userProperties is the model type for the value we store in the user's config. It is logically a discriminated union of
Expand Down
4 changes: 1 addition & 3 deletions cli/azd/pkg/auth/manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -150,9 +150,7 @@ func TestServicePrincipalLoginFederatedTokenProvider(t *testing.T) {
cloud: cloud.AzurePublic(),
}

cred, err := m.LoginWithServicePrincipalFederatedTokenProvider(
context.Background(), "testClientId", "testTenantId", "github",
)
cred, err := m.LoginWithGitHubFederatedTokenProvider(context.Background(), "testClientId", "testTenantId")

require.NoError(t, err)
require.IsType(t, new(azidentity.ClientAssertionCredential), cred)
Expand Down
16 changes: 8 additions & 8 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ go 1.23

require (
github.com/AlecAivazis/survey/v2 v2.3.2
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/apimanagement/armapimanagement v1.0.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/appconfiguration/armappconfiguration v1.0.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/appcontainers/armappcontainers/v3 v3.0.0-beta.1
Expand Down Expand Up @@ -68,13 +68,13 @@ require (
go.opentelemetry.io/otel/trace v1.8.0
go.uber.org/atomic v1.9.0
go.uber.org/multierr v1.8.0
golang.org/x/sys v0.21.0
golang.org/x/sys v0.25.0
gopkg.in/dnaeon/go-vcr.v3 v3.1.2
)

require (
github.com/Azure/azure-pipeline-go v0.2.1 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 // indirect
github.com/cenkalti/backoff/v4 v4.1.3 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
Expand All @@ -99,10 +99,10 @@ require (
go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.8.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.8.0 // indirect
go.opentelemetry.io/proto/otlp v0.18.0 // indirect
golang.org/x/crypto v0.24.0 // indirect
golang.org/x/net v0.26.0 // indirect
golang.org/x/term v0.21.0 // indirect
golang.org/x/text v0.16.0 // indirect
golang.org/x/crypto v0.27.0 // indirect
golang.org/x/net v0.29.0 // indirect
golang.org/x/term v0.24.0 // indirect
golang.org/x/text v0.18.0 // indirect
google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
google.golang.org/grpc v1.56.3 // indirect
google.golang.org/protobuf v1.33.0 // indirect
Expand Down
Loading

0 comments on commit a1ee872

Please sign in to comment.