Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Managed Identity #348

Merged
merged 6 commits into from
Oct 20, 2023
Merged

Support Managed Identity #348

merged 6 commits into from
Oct 20, 2023

Conversation

YanaXu
Copy link
Collaborator

@YanaXu YanaXu commented Sep 26, 2023
edited by MoChilia
Loading

Description

This PR is going to support both system- and user- assigned managed identity login for self-hosted runners on Azure VM.

What's new

  • The Action provides a parameter auth-type with value list [SERVICE_PRINCIPAL, IDENTITY] to identify the type of authentication.
    1. If auth-type: SERVICE_PRINCIPAL with clientId, tenantId and clientSecret detected in your input, we will attempt to login by using service principal with the secret.
    #login with secret
- uses: azure/login@v1
      with:
        auth-type: SERVICE_PRINCIPAL
        creds: ${{ secrets.AZURE_CREDENTIALS }}
    1. If auth-type: SERVICE_PRINCIPAL with clientId and tenantId detected in your input, we will attempt to login by using OIDC.
    #login with OIDC
- uses: azure/login@v1
    with:
        auth-type: SERVICE_PRINCIPAL
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    1. If auth-type: IDENTITY with clientId detected in your input, we will attempt to login by using user-assigned managed identity.
    #login with user-assigned managed identity
- uses: azure/login@v1
   with:
       auth-type: IDENTITY
       client-id: ${{ secrets.AZURE_CLIENT_ID }}
       subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    1. If auth-type: IDENTITY without clientId detected in your input, we will attempt to login by using system-assigned managed identity.
    #login with system-assigned managed identity
- uses: azure/login@v1
 with:
       auth-type: IDENTITY
       subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

The default value of auth-type to be SERVICE_PRINCIPAL to make it backward-compatible.

  • Always specify the subscription-id for safety. Without doing so will make Azure CLI use the current active subscription, which can be risky if your default subscription has changed.

  • The changes for README.md is in Update README.md for Managed identity #344.

@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu temporarily deployed to Automation test October 17, 2023 10:17 — with GitHub Actions Inactive
@YanaXu YanaXu merged commit 8bf3bde into master Oct 20, 2023
24 checks passed
@YanaXu YanaXu deleted the yanxu/mi branch October 20, 2023 08:38
@anton-delphai
Copy link

It seems like this change makes allow-no-subscriptions option useless as readParametersFromCreds() already throws an error without considering this option

@pawan-regoti
Copy link

pawan-regoti commented Nov 20, 2023
edited
Loading

a funny workaround is giving not null value to subscriptionId in creds and set allow-no-subscriptions to true. It will bypass the subscriptionId and not throws error saying subscriptionId is missing.

      - uses: azure/login@v1
        with:
          allow-no-subscriptions: true
          ...
          creds: '{"subscriptionId":"something"}'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiasli jiasli jiasli left review comments

@isra-fel isra-fel isra-fel left review comments

@msJinLei msJinLei msJinLei approved these changes

@MoChilia MoChilia MoChilia approved these changes

@dolauli dolauli Awaiting requested review from dolauli

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@YanaXu @jiasli @anton-delphai @pawan-regoti @isra-fel @msJinLei @MoChilia