Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added support for federated credentials using a managed identity (to generate the client assertion) #28437

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Added support for federated credentials using a managed identity (to generate the client assertion) #28437

wants to merge 2 commits into from

Conversation

sanderaernouts
Copy link
Contributor

@sanderaernouts sanderaernouts commented Jan 10, 2025
edited
Loading

Hey, I just made a Pull Request!

Added support for federated credentials using a managed identity (to generate the client assertion). This allows you to authenticate for an app registration without using a client secret. This is mostly useful when you have to authenticate against an Azure DevOps organization in a different Entra ID tenant.

I would consider this an advanced scenario, but this PR effectively eliminates the need to manage and expose secrets for other tenants.

Because while I was digging through the Azure SDK and MSAL code I found that they use a constant value when you configuring the system assigned managed identity. Basically they end up not passing a value for clientId to the ManagedIdentityCredential which causes the SDK to default to the system assigned identity. I choose to add system-assigned as the value in the config for both this new credential type and the existing managed identity credential.

✔️ Checklist

  • A changeset describing the change and affected packages. (more info)
  • Added or updated documentation
  • Tests for new functionality and regression tests for bug fixes
  • Screenshots attached (for UI changes)
  • All your commits have a Signed-off-by line in the message. (more info)

@sanderaernouts sanderaernouts requested review from a team as code owners January 10, 2025 15:58
@github-actions github-actions bot added documentation Improvements or additions to documentation area:catalog Related to the Catalog Project Area area:techdocs Related to the TechDocs Project Area search Things related to Search area:scaffolder Everything and all things related to the scaffolder project area area:search labels Jan 10, 2025
@sanderaernouts sanderaernouts force-pushed the users/saernouts/client-assertion-credential branch from 33b2bcd to 9943e66 Compare January 13, 2025 10:49
@backstage-goalie
Copy link
Contributor

backstage-goalie bot commented Jan 13, 2025
edited
Loading

Important

This PR includes changes that affect public-facing API. Please ensure you are adding/updating documentation for new features or behavior.

Changed Packages

Package Name Package Path Changeset Bump Current Version
@backstage/integration packages/integration minor v1.16.1-next.0

@sanderaernouts
feat(azure): support managed identity federated credentials
6aa3f37 
Signed-off-by: Sander Aernouts <sander.aernouts@gmail.com>
@sanderaernouts sanderaernouts force-pushed the users/saernouts/client-assertion-credential branch from 9943e66 to 87dc170 Compare January 13, 2025 10:53
@sanderaernouts
feat(azure): support system-assigned managed identity without specify…
f707108 
…ing the client ID

Signed-off-by: Sander Aernouts <sander.aernouts@gmail.com>
@sanderaernouts sanderaernouts force-pushed the users/saernouts/client-assertion-credential branch from 87dc170 to f707108 Compare January 13, 2025 12:59
@github-actions github-actions bot removed area:catalog Related to the Catalog Project Area area:techdocs Related to the TechDocs Project Area search Things related to Search area:scaffolder Everything and all things related to the scaffolder project area area:search labels Jan 13, 2025
@sanderaernouts
Copy link
Contributor Author

@awanlin is this something you maybe want to have a look at since it's related to Azure (DevOps)?

@benjdlambert you reviewed my previous PR (#17780) in this area so I'm tagging you as well

@sanderaernouts
Copy link
Contributor Author

@Rugvip, @vinzscam can one of you help move this forward?

@sanderaernouts sanderaernouts mentioned this pull request Jan 17, 2025
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rugvip Rugvip Awaiting requested review from Rugvip Rugvip is a code owner automatically assigned from backstage/maintainers

@vinzscam vinzscam Awaiting requested review from vinzscam vinzscam is a code owner automatically assigned from backstage/reviewers

@acierto acierto Awaiting requested review from acierto acierto was automatically assigned from backstage/scaffolder-maintainers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sanderaernouts