Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[identity] Support Federated Identity for Service connections - new credential #29392

Merged
merged 37 commits into from
Apr 26, 2024

Conversation

KarishmaGhiya
Copy link
Member

@KarishmaGhiya KarishmaGhiya commented Apr 23, 2024

Packages impacted by this PR

Issues associated with this PR

Fixes #27093
Gist

Describe the problem that is addressed by this PR

Work TBD:

  • Update TS guide
  • Update error messages
  • Test it out for all scenarios

Checklists

  • Added impacted package name to the issue description
  • Added a changelog (if necessary)

@KarishmaGhiya KarishmaGhiya changed the title Service connection credential [identity] Service connection credential Apr 23, 2024
@KarishmaGhiya KarishmaGhiya changed the title [identity] Service connection credential [identity] Support Federated Identity for Service connections Apr 23, 2024
@KarishmaGhiya KarishmaGhiya changed the title [identity] Support Federated Identity for Service connections [identity] Support Federated Identity for Service connections - new credential Apr 23, 2024
@azure-sdk
Copy link
Collaborator

API change check

APIView has identified API level changes in this PR and created following API reviews.

@azure/identity

@KarishmaGhiya
Copy link
Member Author

// should we test for a GUID?

Copy link
Member

@maorleger maorleger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for getting this started! There are a few items that should be addressed before merging but it's coming together well - let me know how I can help

sdk/identity/identity/review/identity.api.md Outdated Show resolved Hide resolved
@@ -104,6 +104,16 @@ export interface AzureDeveloperCliCredentialOptions extends MultiTenantTokenCred
tenantId?: string;
}

// @public (undocumented)
export class AzurePipelinesServiceConnectionCredential implements TokenCredential {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do think that AzurePipelinesCredential with a constructor that takes a required serviceConnectionId should be in consideration.

I know we've gone back and forth on this design and will support this current design, but I think

const myServiceConnectionId = "12345"
const credential = new AzurePipelinesCredential(clientId, tenantId, myServiceConnectionId)

is clear and offers a path to extending this via constructor overloads. Then, everything under the umbrella of "use this credential in Azure DevOps" can be bucketed and discovered under one name...

Copy link
Member

@maorleger maorleger Apr 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To clarify, I am proposing renaming this credential to AzurePipelineCredential -otherwise the constructor LGTM

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

plural :D

private serviceConnectionId: string | undefined;

/**
* AzurePipelinesServiceConnectionCredential supports Microsoft Entra Workload ID on Kubernetes.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this comment is incorrect right? Probably copy-paste?

What do we want to document here?

I think we probably want to:

  1. Link to the entra docs
  2. Provide a little more context on what this credential is used for

Try copilot to generate some docs😄

sdk/identity/identity/src/util/logging.ts Show resolved Hide resolved
Copy link
Member

@scottaddie scottaddie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

) {
return;
}
const missingEnvVars = [];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit (feel free to ignore): a loop would be easier to follow and modify in the future

Pseudocode:

const requiredEnvVars = ["SYSTEM_TEAMFOUNDATIONCOLLECTIONURI", "SYSTEM_TEAMPROJECTID" ....etc]
const missingEnvVars = requiredEnvVars.filter(e => !process.env[e])
if (missingEnvVars.length > 0) { etc

Copy link
Member

@maorleger maorleger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few more comments that have not been addressed but I don't want to block us getting a nightly build out. Thank you for being patient with me!

sdk/identity/identity/review/identity.api.md Outdated Show resolved Hide resolved
serviceConnectionId: string,
options?: AzurePipelinesServiceConnectionCredentialOptions
) {
checkTenantId(logger, tenantId);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not blocking this PR if you prefer to make an issue and get a dev-build going

if (!isLiveMode()) {
this.skip();
}
// this serviceConnection corresponds to the Azure SDK Test Resources - LiveTestSecrets service
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@KarishmaGhiya KarishmaGhiya force-pushed the service-connection-credential branch from a8aefa0 to 00e9aec Compare April 25, 2024 22:43
@KarishmaGhiya KarishmaGhiya force-pushed the service-connection-credential branch from 3ea025e to 9b42986 Compare April 25, 2024 23:57
@KarishmaGhiya
Copy link
Member Author

KarishmaGhiya commented Apr 26, 2024

Reminder to add the new credential type to https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/README.md#credential-classes

done, don't have a learn.microsoft url for this since credential is not published so didn't add that

@KarishmaGhiya KarishmaGhiya enabled auto-merge (squash) April 26, 2024 00:24
@KarishmaGhiya KarishmaGhiya merged commit 63dce5e into Azure:main Apr 26, 2024
24 checks passed
const clientId = "<YOUR_CLIENT_ID>"
const tenantId = "<YOUR_TENANT_ID>"
const serviceConnectionId = "<YOUR_SERVICE_CONNECTION_ID>"
const credential = new AzurePipelinesServiceConnection(tenantId, clientId, serviceConnectionId);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this intended to be AzurePipelinesServiceConnectionCredential?

@jhwj9617
Copy link

jhwj9617 commented Jun 3, 2024

Does this/will this work with DefaultAzureCredential?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Development

Successfully merging this pull request may close these issues.

Add Support for Workload Identity Federation for Azure Service Connections
6 participants