Skip to content

Azure credentials update#15111

Merged
pavel-purma merged 4 commits intomainfrom
dev/pavelpurma/AzureIdentityForPublishUpdate
Jan 20, 2025
Merged

Azure credentials update#15111
pavel-purma merged 4 commits intomainfrom
dev/pavelpurma/AzureIdentityForPublishUpdate

Conversation

@pavel-purma
Copy link
Copy Markdown
Contributor

@pavel-purma pavel-purma commented Sep 27, 2024

Update Azure Identity Credentials

  • prefer AzurePipelineCredential if all environment variables are set
  • cache initialization moved to DefaultIdentityTokenCredential so you can use only DefaultIdentityTokenCredential class with options and optionally disable short cache by DisableShortCache option
  • Publish packages, blobs and symbols task set to use AzurePipelineCredential by adding SYSTEM_ACCESSTOKEN env value
  • PublishArtifactsInManifestBase - use DefaultIdentityTokenCredential in symbols publishing

@pavel-purma pavel-purma force-pushed the dev/pavelpurma/AzureIdentityForPublishUpdate branch 2 times, most recently from 3805f20 to a62085f Compare September 27, 2024 13:21
@pavel-purma pavel-purma force-pushed the dev/pavelpurma/AzureIdentityForPublishUpdate branch from a62085f to 0c1c6c4 Compare October 30, 2024 12:56
@mmitche
Copy link
Copy Markdown
Member

mmitche commented Dec 18, 2024

@pavel-purma Still need this?

mmitche
mmitche reviewed Dec 18, 2024
View reviewed changes
eng/publishing/v3/publish.yml Outdated
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
inputs:
azureSubscription: maestro-build-promotion
addSpnToEnvironment: true
Copy link
Copy Markdown
Member

@mmitche mmitche Dec 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does the pipeline credential get access to publish blobs?

Copy link
Copy Markdown
Contributor Author

@pavel-purma pavel-purma Jan 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will use AzurePipelinesCredential when SYSTEM_ACCESSTOKEN environment variable provided. If not, ManagedIdentity/AzureCliCredential would be configured to ChainedTokenCredential

@pavel-purma pavel-purma force-pushed the dev/pavelpurma/AzureIdentityForPublishUpdate branch from 75530cf to 5078af8 Compare January 20, 2025 09:31
@pavel-purma
Copy link
Copy Markdown
Contributor Author

pavel-purma commented Jan 20, 2025

@mmitche, this PR switches from DefaultAzureCredential to AzurePipelineCredential (DefaultIdentityTokenCredential standard pipeline authentication) which can issue tokens even after 10 minutes expiration issue of federated token. Authentication mechanism is also faster than in cases when DefaultAzureCredential falls to AzureCliCredential. In blob publishing this is already in use. Here, this code enables it also for symbols publishing.

premun
premun reviewed Jan 20, 2025
View reviewed changes
src/Microsoft.DotNet.ArcadeAzureIntegration/DefaultIdentityTokenCredential.cs
Comment on lines +106 to +107
var ret = new ChainedTokenCredential(tokenCredentials.ToArray());
return ret;
Copy link
Copy Markdown
Member

@premun premun Jan 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
var ret = new ChainedTokenCredential(tokenCredentials.ToArray());
return ret;
return new ChainedTokenCredential(tokenCredentials.ToArray());

@pavel-purma pavel-purma merged commit 0a21d8d into main Jan 20, 2025
@pavel-purma pavel-purma deleted the dev/pavelpurma/AzureIdentityForPublishUpdate branch January 20, 2025 13:37
pavel-purma added a commit that referenced this pull request Jan 29, 2025
@pavel-purma
Azure credentials update (#15111)
1afc182 
Co-authored-by: Pavel Purma <pavelpurma@microsoft.com>
# Conflicts:
#	src/Microsoft.DotNet.Build.Tasks.Feed/src/PublishArtifactsInManifestBase.cs
pavel-purma added a commit that referenced this pull request Jan 29, 2025
@pavel-purma
Azure credentials update (#15111) (#15464)
cae548d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mmitche mmitche mmitche left review comments

@premun premun premun approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pavel-purma @mmitche @premun