Azure OIDC accounts #2004
Azure OIDC accounts #2004
Conversation
|
This pull request has been linked to Shortcut Story #58116: Docs. |
benPearce1
requested review from
hnrkndrssn,
veochen-octopus and
IsaacCalligeros95
| <details data-group="infrastructure-accounts-azure"> | ||
| <summary>Az PowerShell</summary> | ||
|
|
||
| ```powershell | ||
| # This script will create a new service principal for you to use in Octopus Deploy using the Az PowerShell modules. This will work with both PowerShell and PowerShell Core. | ||
| # this script will create a new Azure AD App Registration | ||
|
|
||
| $AzureTenantId = "2a681dca-3230-4e01-abcb-b1fd225c0982" # Replace with your Tenant Id |
There was a problem hiding this comment.
Nit: Is there a reason this has the tenant specified? This is a pre-existing part of the docs so I'm happy for it to be left as is, the inconsistency is just a bit odd.
There was a problem hiding this comment.
This is the Azure Active Directory tenant , not an Octopus one
There was a problem hiding this comment.
Looks good, just a couple of questions/suggestions
-
Should we mention the
Octopus.OpenIdConnect.Jwtvariable that gets set and used for token exchange? This could be useful for customers looking to handle their own token exchanges in scripts. -
Can we mention supported tool versions somewhere? In particular for terraform the
azurermterraform provider we require a minimum version of3.22. Azure cli added support for MSAL in 2.30 which is required for the az login ... --federated-token command
| @@ -22,9 +22,13 @@ These must be exposed with anonymous access on HTTPS. Without this, the OpenID C | |||
|
|
|||
| The hostname of the URL that these two endpoints are available on must either be configured under **Configuration->Nodes->Server Uri** or set as the first ListenPrefix in the server configuration. | |||
|
|
|||
| ## Authenticating using OpenID Connect with third party services and tools | |||
|
|
|||
| If you have a third-party service or tool that supports OpenID Connect, you can add any OIDC account variable into your projects variable set and use the `Octopus.OpenIDConnect.Jwt` variable to get access to the request token that can be used for authenticating. | |||
There was a problem hiding this comment.
Sorry I was mistaken before, when using the variables it should be <AccountName>.OpenIDConnect.Jwt
Co-authored-by: Henrik Andersson <henrik.andersson@octopus.com>
[sc-58116]
PR adds descriptions of main Azure OIDC functionality and refactors the supplied scripts to pull the common bits (create service principal) and specific bits (create password for service principal, create federated creds for service principal)
Adds overview of configuration for OIDC
Adds brief overview of signing keys