-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[identity] Support Federated Identity for Service connections - new credential #29392
[identity] Support Federated Identity for Service connections - new credential #29392
Conversation
API change check APIView has identified API level changes in this PR and created following API reviews. |
// should we test for a GUID? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for getting this started! There are a few items that should be addressed before merging but it's coming together well - let me know how I can help
@@ -104,6 +104,16 @@ export interface AzureDeveloperCliCredentialOptions extends MultiTenantTokenCred | |||
tenantId?: string; | |||
} | |||
|
|||
// @public (undocumented) | |||
export class AzurePipelinesServiceConnectionCredential implements TokenCredential { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do think that AzurePipelinesCredential
with a constructor that takes a required serviceConnectionId
should be in consideration.
I know we've gone back and forth on this design and will support this current design, but I think
const myServiceConnectionId = "12345"
const credential = new AzurePipelinesCredential(clientId, tenantId, myServiceConnectionId)
is clear and offers a path to extending this via constructor overloads. Then, everything under the umbrella of "use this credential in Azure DevOps" can be bucketed and discovered under one name...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To clarify, I am proposing renaming this credential to AzurePipelineCredential -otherwise the constructor LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
plural :D
sdk/identity/identity/src/credentials/azurePipelinesServiceConnectionCredential.ts
Outdated
Show resolved
Hide resolved
private serviceConnectionId: string | undefined; | ||
|
||
/** | ||
* AzurePipelinesServiceConnectionCredential supports Microsoft Entra Workload ID on Kubernetes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this comment is incorrect right? Probably copy-paste?
What do we want to document here?
I think we probably want to:
- Link to the entra docs
- Provide a little more context on what this credential is used for
Try copilot to generate some docs😄
sdk/identity/identity/src/credentials/azurePipelinesServiceConnectionCredential.ts
Outdated
Show resolved
Hide resolved
sdk/identity/identity/src/credentials/azurePipelinesServiceConnectionCredential.ts
Outdated
Show resolved
Hide resolved
sdk/identity/identity/src/credentials/azurePipelinesServiceConnectionCredential.ts
Outdated
Show resolved
Hide resolved
sdk/identity/identity/src/credentials/azurePipelinesServiceConnectionCredential.ts
Outdated
Show resolved
Hide resolved
sdk/identity/identity/test/public/node/azurePipelinesServiceConnection.spec.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reminder to add the new credential type to https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/README.md#credential-classes
sdk/identity/identity/src/credentials/azurePipelinesServiceConnectionCredential.ts
Outdated
Show resolved
Hide resolved
) { | ||
return; | ||
} | ||
const missingEnvVars = []; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit (feel free to ignore): a loop would be easier to follow and modify in the future
Pseudocode:
const requiredEnvVars = ["SYSTEM_TEAMFOUNDATIONCOLLECTIONURI", "SYSTEM_TEAMPROJECTID" ....etc]
const missingEnvVars = requiredEnvVars.filter(e => !process.env[e])
if (missingEnvVars.length > 0) { etc
sdk/identity/identity/src/credentials/azurePipelinesServiceConnectionCredential.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few more comments that have not been addressed but I don't want to block us getting a nightly build out. Thank you for being patient with me!
serviceConnectionId: string, | ||
options?: AzurePipelinesServiceConnectionCredentialOptions | ||
) { | ||
checkTenantId(logger, tenantId); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not blocking this PR if you prefer to make an issue and get a dev-build going
if (!isLiveMode()) { | ||
this.skip(); | ||
} | ||
// this serviceConnection corresponds to the Azure SDK Test Resources - LiveTestSecrets service |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
a8aefa0
to
00e9aec
Compare
…nectionCredential.ts Co-authored-by: Scott Addie <[email protected]>
…nectionCredential.ts Co-authored-by: Maor Leger <[email protected]>
3ea025e
to
9b42986
Compare
done, don't have a learn.microsoft url for this since credential is not published so didn't add that |
const clientId = "<YOUR_CLIENT_ID>" | ||
const tenantId = "<YOUR_TENANT_ID>" | ||
const serviceConnectionId = "<YOUR_SERVICE_CONNECTION_ID>" | ||
const credential = new AzurePipelinesServiceConnection(tenantId, clientId, serviceConnectionId); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this intended to be AzurePipelinesServiceConnectionCredential
?
Does this/will this work with DefaultAzureCredential? |
Packages impacted by this PR
Issues associated with this PR
Fixes #27093
Gist
Describe the problem that is addressed by this PR
Work TBD:
Checklists