-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure workflow strategy for Azure CLI output configuration #356
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor suggestion but LGTM.
README.md
Outdated
@@ -25,6 +25,9 @@ Note: | |||
- Ensure the CLI version is 2.30 or above to use OIDC support. | |||
- By default, Azure access tokens issued during OIDC based login could have limited validity. Azure access token issued by AD App (Service Principal) is expected to have an expiration of 1 hour by default. And with Managed Identities, it would be 24 hrs. This expiration time is further configurable in Azure. Refer to [access-token lifetime](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#access-token-lifetime) for more details. | |||
|
|||
> **Warning** | |||
> Without redirecting Azure CLI commands’ output, it will be printed to stdout stream and the build log. To prevent this, you may disable Azure CLI commands’ output by setting the environment variable `AZURE_CORE_OUTPUT` to `none`. If you need the output of a specific command, you can add argument `--output json` to restore its output. For more information about the configuration settings and output format of Azure CLI, see [CLI configuration values and environment variables](https://learn.microsoft.com/en-us/cli/azure/azure-cli-configuration#cli-configuration-values-and-environment-variables). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
> Without redirecting Azure CLI commands’ output, it will be printed to stdout stream and the build log. To prevent this, you may disable Azure CLI commands’ output by setting the environment variable `AZURE_CORE_OUTPUT` to `none`. If you need the output of a specific command, you can add argument `--output json` to restore its output. For more information about the configuration settings and output format of Azure CLI, see [CLI configuration values and environment variables](https://learn.microsoft.com/en-us/cli/azure/azure-cli-configuration#cli-configuration-values-and-environment-variables). | |
> By default, Azure CLI commands’ output will be printed to the stdout stream and will be stored in the build logs of the action. You may configure Azure CLI to not print any output by setting the environment variable `AZURE_CORE_OUTPUT` to `none`. If you need the output of a specific command, you can add argument `--output json` to restore its output. For more information about the configuration settings and output format of Azure CLI, see [CLI configuration values and environment variables](https://learn.microsoft.com/cli/azure/azure-cli-configuration#cli-configuration-values-and-environment-variables). |
README.md
Outdated
@@ -25,6 +25,9 @@ Note: | |||
- Ensure the CLI version is 2.30 or above to use OIDC support. | |||
- By default, Azure access tokens issued during OIDC based login could have limited validity. Azure access token issued by AD App (Service Principal) is expected to have an expiration of 1 hour by default. And with Managed Identities, it would be 24 hrs. This expiration time is further configurable in Azure. Refer to [access-token lifetime](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#access-token-lifetime) for more details. | |||
|
|||
> [!WARNING] | |||
> By default, Azure CLI commands’ output is printed to the stdout stream. Without redirecting the stdout stream, contents in it will be stored in the build logs of the action. You may configure Azure CLI to not print any output by setting the environment variable `AZURE_CORE_OUTPUT` to `none`. If you need the output of a specific command, you can add argument `--output json` to restore its output. For more information about the configuration settings and output format of Azure CLI, see [CLI configuration values and environment variables](https://learn.microsoft.com/cli/azure/azure-cli-configuration#cli-configuration-values-and-environment-variables). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
> By default, Azure CLI commands’ output is printed to the stdout stream. Without redirecting the stdout stream, contents in it will be stored in the build logs of the action. You may configure Azure CLI to not print any output by setting the environment variable `AZURE_CORE_OUTPUT` to `none`. If you need the output of a specific command, you can add argument `--output json` to restore its output. For more information about the configuration settings and output format of Azure CLI, see [CLI configuration values and environment variables](https://learn.microsoft.com/cli/azure/azure-cli-configuration#cli-configuration-values-and-environment-variables). | |
> By default, the output of Azure CLI commands print to the stdout stream and are stored in the build logs of the action. Configure Azure CLI to _not_ show output in the console screen or print in the log by setting the environment variable `AZURE_CORE_OUTPUT` to `none`. If you need the output of a specific command, override the default setting using the argument `--output` with your format of choice. For more information on output options with the Azure CLI, see [Format output](https://learn.microsoft.com/en-us/cli/azure/format-output-azure-cli). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
When creating workflows, especially in a public repository, it's crucial to ensure that your build logs don't expose any sensitive data. You should proactively safeguard sensitive information by storing it as secret, masking any sensitive value in logs and setting the repositories and CI instances to private if they don't need to be public.
Moreover, Azure CLI commands output to both stdout stream and the build log by default. Azure CLI suggests us to protect output information by setting the output to
none
, see https://aka.ms/clisecrets. You may configure Azure CLI to not print any output by setting the environment variableAZURE_CORE_OUTPUT
tonone
when you invoke Azure CLI commands in your workflow. For example,For detailed guidance on how to set environment variables in a workflow, refer to the GitHub doc: https://docs.github.com/en/actions/learn-github-actions/variables.
When you need the output of a specific command, you can add argument
--output json
to restore its output. For example,For more information about the configuration settings and output format of Azure CLI, see CLI configuration values and environment variables.