Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Managed Identity and Service Principal Support #492

Merged
merged 33 commits into from
Jun 10, 2024
Merged

Managed Identity and Service Principal Support #492

merged 33 commits into from
Jun 10, 2024

Conversation

embetten
Copy link
Contributor

@embetten embetten commented May 2, 2024
edited
Loading

Overview

  • Added MSAL Managed Identity and Service Principal Token Providers to Microsoft.Artifacts.Authentication Library.
  • Created new endpoint ARTIFACTS_CREDENTIALPROVIDER_FEED_ENDPOINTS environment variable with new json schema for MI/SP required fields.
  • Updated VstsBuildTaskServiceEndpointCredentialProvider to call Microsoft.Artifacts.Authentication for MI/SP token providers.
  • Reverted Revert System.Text.Json change #485 Changes to use system.text.json for de/serialization everywhere except for the VSS_NUGET_EXTERNAL_FEED_ENDPOINTS environment variable.

Design Decisions

  • Intentionally not supporting SP secrets authentication to promote security best practices.
  • The new environment variable name and json schema were created instead of reusing or extending the existing VSS_NUGET_EXTERNAL_FEED_ENDPOINTS to reduce password usage and clarify the environment variable will be available to our other credproviders such as the artifacs-keyring not just NuGet.

Environment Variable

ARTIFACTS_CREDENTIALPROVIDER_FEED_ENDPOINTS

 {"endpointCredentials": [{"endpoint":"http://example.index.json", "clientId":"required", "clientCertificateSubjectName":"optional", "clientCertificateFilePath":"optional"}]}
  • endpoint: required. Feed url to authenticate against.
  • clientId: required for both MI/SP. For user assigned managed identities enter the Entra client id. For system assigned variables set the value to system.
  • clientCertificateSubjectName: Subject Name of the certificate located in the My/ CurrentUser or LocalMachine certificate store. Optional field. Only used by SP authentication.
  • clientCertificateFilePath: File path location of the certificate on the machine. Optional field. Only used by SP authentication.

Will throw error if both clientCertificateSubjectName or clientCertificateFilePath are specified.

embetten added 22 commits April 17, 2024 14:26
@embetten
init
59fcaa8
@embetten
Update unit tests
2c56f4e
@embetten
Comment out for testing
9625343
@embetten
Update BuildEndpoint Credential Provider to call MSAL Managed Identit…
3dd06fe 
…y Token Provider
@embetten
merge
babe3dd
@embetten
Undo non supoorted refactoring
f5c2453
@embetten
Add unique error message for testing purposes
df05104
@embetten
return MI bearer token
2599dd9
@embetten
revert
24e2ea8
@embetten
remove exchange comment
993314c
@embetten
Reorder token provider, add tests, formalize string
9499200
@embetten
init
13881fb
@embetten
merge
e3bae2e
@embetten
Update Credential Discovery and Creation
9809076
@embetten
Added tests and resource strings
3cd82f3
@embetten
removing non compatible syntax
34a7af5
@embetten
fixed another spot
aeb048d
@embetten
removing duplicate invalid logging
cba0c3a
@embetten
fix single quote warning
8b3edc7
@embetten
Add tenant Id for service principal provider
c15bd3a
@embetten
Remove csproj reference and fix typo
166f551
@embetten
Update BuildTaskCredProviderIsUsedError
0ea2659
@embetten embetten marked this pull request as ready for review May 16, 2024 16:19
@JohnSchmeichel
Copy link
Member

using System;

add license header

Refers to: CredentialProvider.Microsoft/CredentialProviders/VstsBuildTaskServiceEndpoint/VstsBuildTaskMsalTokenProvidersFactory.cs:1 in 0dceaff. [](commit_id = 0dceaff, deletion_comment = False)

@JohnSchmeichel
Copy link
Member

using System;

same for all new (non test?) files

In reply to: 2116411091

Refers to: CredentialProvider.Microsoft/CredentialProviders/VstsBuildTaskServiceEndpoint/VstsBuildTaskMsalTokenProvidersFactory.cs:1 in 0dceaff. [](commit_id = 0dceaff, deletion_comment = False)

@JohnSchmeichel
Copy link
Member

using System;

test files too

In reply to: 2116411506

Refers to: CredentialProvider.Microsoft/CredentialProviders/VstsBuildTaskServiceEndpoint/VstsBuildTaskMsalTokenProvidersFactory.cs:1 in 0dceaff. [](commit_id = 0dceaff, deletion_comment = False)

JohnSchmeichel
JohnSchmeichel approved these changes May 17, 2024
View reviewed changes
Copy link
Member

@JohnSchmeichel JohnSchmeichel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@JohnSchmeichel
Copy link
Member

please address the build warnings as well, there are a few about package conflicts. surprised these are not failing the build :(

@embetten embetten merged commit ae7cd59 into master Jun 10, 2024
2 checks passed
@embetten embetten deleted the users/embetten/mi-sp-support branch June 10, 2024 18:45
@embetten embetten mentioned this pull request Jun 17, 2024
Merged
This was referenced Jun 26, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JohnSchmeichel JohnSchmeichel JohnSchmeichel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@embetten @JohnSchmeichel