Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Support for Workload Identity Federation for Azure Service Connections #27093

Closed
ChristineWanjau opened this issue Sep 12, 2023 · 10 comments · Fixed by #29392
Closed

Add Support for Workload Identity Federation for Azure Service Connections #27093

ChristineWanjau opened this issue Sep 12, 2023 · 10 comments · Fixed by #29392
Assignees
@KarishmaGhiya
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request This issue requires a new behavior in the product in order be resolved.
Milestone
2024-05

Comments

@ChristineWanjau
Copy link

ChristineWanjau commented Sep 12, 2023
edited
Loading

Does @azure/identity for js support authentication for service connections using workload identity federated credential?

Tasks
Beta Give feedback
No tasks being tracked yet.
@github-actions github-actions bot added Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-triage Workflow: This issue needs the team to triage. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Sep 12, 2023
@xirzec xirzec removed the needs-team-triage Workflow: This issue needs the team to triage. label Sep 12, 2023
@github-actions github-actions bot added the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Sep 12, 2023
@joshfree
Copy link
Member

Related https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/TROUBLESHOOTING.md#troubleshoot-workloadidentitycredential-authentication-issues

@ChristineWanjau
Copy link
Author

@joshfree the doc only says it supports authentication for workloads running on Kubernetes what about authentication for service connections using workload identity federated credential in azure devops?

@KarishmaGhiya KarishmaGhiya added feature-request This issue requires a new behavior in the product in order be resolved. and removed needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Sep 19, 2023
@github-actions github-actions bot added the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Sep 19, 2023
@KarishmaGhiya
Copy link
Member

@joshfree I spoke to @ChristineWanjau Looks like App Configuration is using the preview feature Azure Devops for their authenication for service connection using workload identity. Essentially what happens is when they request an idToken, it gets supplied by Azure Devops (https://devblogs.microsoft.com/devops/public-preview-of-workload-identity-federation-for-azure-pipelines/#custom-azure-tasks-and-extensions). But this idToken is not written to a file, it's speculated to be supplied through the env. So the ask was that do we support the scenario.

@joshfree joshfree changed the title [@azure/Identity] Authentication for service connections workload identity federated credential in azure/identity Add Support for Workload Identity Federation for Azure Service Connections Sep 19, 2023
@joshfree joshfree added this to the 2024-02 milestone Sep 19, 2023
@joshfree joshfree removed the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label Sep 19, 2023
This was referenced Sep 19, 2023
Closed
Closed
Closed
Closed
Closed
@KarishmaGhiya KarishmaGhiya removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Nov 3, 2023
@joshfree
Copy link
Member

joshfree commented Jan 8, 2024

@KarishmaGhiya could you give an update on this item?

@cyclelabs-ryanberger
Copy link

Please provide an update on when this will be allowed. This is also impacting AzureFileCopy task: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/azure-file-copy-v4?view=azure-pipelines

@KarishmaGhiya
Copy link
Member

@ryanberger-az This work item is only tracking the support of WI on Azure Identity SDK for Azure Service Connections scenario.
For support for pipeline tasks, I think you should refer to this blog - https://devblogs.microsoft.com/devops/public-preview-of-workload-identity-federation-for-azure-pipelines/#built-in-pipeline-tasks
Unless the Azure File Copy task uses the Azure Identity SDK, I don't think you should be blocked on us.

@KarishmaGhiya KarishmaGhiya modified the milestones: 2024-02, 2024-03 Jan 29, 2024
@joshfree joshfree modified the milestones: 2024-03, 2024-04 Feb 21, 2024
@joshfree joshfree modified the milestones: 2024-04, 2024-05 Mar 4, 2024
@KarishmaGhiya KarishmaGhiya mentioned this issue Mar 4, 2024
Closed
5 tasks
@KarishmaGhiya
Copy link
Member

Github Gist -https://gist.github.com/KarishmaGhiya/81ee6265ab6e9109d3bf510678878b34
We are waiting on the service team to complete the environment variable consolidation for OIDC token request from Azure Devops. https://dev.azure.com/mseng/AzureDevOps/_workitems/edit/2103036

@maorleger maorleger mentioned this issue Mar 14, 2024
Closed
@maorleger
Copy link
Member

Linking to #28726 (comment)

@MRayermannMSFT assuming I understood the ask correctly, I believe this is the issue you want to follow along on - is that right?

@MRayermannMSFT
Copy link

@maorleger I think you are probably right?

@joshfree joshfree modified the milestones: 2024-05, 2024-08 Apr 1, 2024
@KarishmaGhiya KarishmaGhiya modified the milestones: 2024-08, 2024-05 Apr 10, 2024
@KarishmaGhiya
Copy link
Member

PR to support this - #28628

@KarishmaGhiya KarishmaGhiya mentioned this issue Apr 23, 2024
Merged
5 tasks
@github-actions github-actions bot locked and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@KarishmaGhiya KarishmaGhiya

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request This issue requires a new behavior in the product in order be resolved.
Projects
Azure Identity SDK Improvements
Archived in project
Milestone
2024-05
7 participants
@xirzec @maorleger @joshfree @KarishmaGhiya @MRayermannMSFT @cyclelabs-ryanberger @ChristineWanjau