Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure credentials update #15111

Merged
merged 4 commits into from
Jan 20, 2025
Merged

Azure credentials update #15111

merged 4 commits into from
Jan 20, 2025

Conversation

pavel-purma
Copy link
Contributor

Update Azure Identity Credentials

  • prefer AzurePipelineCredential if all environment variables are set
  • cache initialization moved to DefaultIdentityTokenCredential so you can use only DefaultIdentityTokenCredential class with options and optionally disable short cache by DisableShortCache option
  • Publish packages, blobs and symbols task set to use AzurePipelineCredential by adding SYSTEM_ACCESSTOKEN env value
  • PublishArtifactsInManifestBase - use DefaultIdentityTokenCredential in symbols publishing

@pavel-purma pavel-purma force-pushed the dev/pavelpurma/AzureIdentityForPublishUpdate branch 2 times, most recently from 3805f20 to a62085f Compare September 27, 2024 13:21
@pavel-purma pavel-purma force-pushed the dev/pavelpurma/AzureIdentityForPublishUpdate branch from a62085f to 0c1c6c4 Compare October 30, 2024 12:56
@mmitche
Copy link
Member

mmitche commented Dec 18, 2024

@pavel-purma Still need this?

mmitche
mmitche reviewed Dec 18, 2024
View reviewed changes
eng/publishing/v3/publish.yml Outdated
inputs:
azureSubscription: maestro-build-promotion
addSpnToEnvironment: true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does the pipeline credential get access to publish blobs?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will use AzurePipelinesCredential when SYSTEM_ACCESSTOKEN environment variable provided. If not, ManagedIdentity/AzureCliCredential would be configured to ChainedTokenCredential

@pavel-purma pavel-purma force-pushed the dev/pavelpurma/AzureIdentityForPublishUpdate branch from 75530cf to 5078af8 Compare January 20, 2025 09:31
@pavel-purma
Copy link
Contributor Author

@mmitche, this PR switches from DefaultAzureCredential to AzurePipelineCredential (DefaultIdentityTokenCredential standard pipeline authentication) which can issue tokens even after 10 minutes expiration issue of federated token. Authentication mechanism is also faster than in cases when DefaultAzureCredential falls to AzureCliCredential. In blob publishing this is already in use. Here, this code enables it also for symbols publishing.

premun
premun reviewed Jan 20, 2025
View reviewed changes
src/Microsoft.DotNet.Build.Tasks.Feed/src/AssetPublisherFactory.cs Show resolved Hide resolved
src/Microsoft.DotNet.ArcadeAzureIntegration/DefaultIdentityTokenCredential.cs
Comment on lines +106 to +107
var ret = new ChainedTokenCredential(tokenCredentials.ToArray());
return ret;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
var ret = new ChainedTokenCredential(tokenCredentials.ToArray());
return ret;
return new ChainedTokenCredential(tokenCredentials.ToArray());

src/Microsoft.DotNet.ArcadeAzureIntegration/DefaultIdentityTokenCredentialOptions.cs Show resolved Hide resolved
src/Microsoft.DotNet.ArcadeAzureIntegration/DefaultIdentityTokenCredential.cs Show resolved Hide resolved
@pavel-purma pavel-purma merged commit 0a21d8d into main Jan 20, 2025
11 checks passed
@pavel-purma pavel-purma deleted the dev/pavelpurma/AzureIdentityForPublishUpdate branch January 20, 2025 13:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mmitche mmitche mmitche left review comments

@premun premun premun approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pavel-purma @mmitche @premun