Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identity azure pipelines service connection #40246

Merged
merged 28 commits into from
May 23, 2024
Merged

Identity azure pipelines service connection #40246

merged 28 commits into from
May 23, 2024

Conversation

billwert
Copy link
Contributor

@billwert billwert commented May 18, 2024
edited by scottaddie

Closes #36842

Description

Please add an informative description that covers that changes made by the pull request and link all relevant issues.

If an SDK is being regenerated based on a new swagger spec, a link to the pull request containing these swagger spec changes has been included above.

All SDK Contribution checklist:

  • The pull request does not introduce [breaking changes]
  • CHANGELOG is updated for new features, bug fixes or other significant changes.
  • I have read the contribution guidelines.

General Guidelines and Best Practices

  • Title of the pull request is clear and informative.
  • There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

  • Pull request includes test coverage for the included changes.

@billwert billwert requested review from g2vinay, joshfree and a team as code owners May 18, 2024 00:19
@azure-sdk
Copy link
Collaborator

API change check

APIView has identified API level changes in this PR and created following API reviews.

com.azure:azure-identity

@billwert
Copy link
Contributor Author

/azp run java - identity - tests

@azure-pipelines Azure Pipelines
Copy link

No pipelines are associated with this pull request.

@billwert
Copy link
Contributor Author

/azp run java - identity

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@billwert
Copy link
Contributor Author

/azp run java - identity

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

g2vinay
g2vinay reviewed May 22, 2024
View reviewed changes
sdk/identity/azure-identity/TROUBLESHOOTING.md
@@ -283,6 +284,8 @@ Get-AzAccessToken -ResourceUrl "https://management.core.windows.net"
|---|---|---|
|`CredentialUnavailableException` raised with message. "IntelliJ Authentication not available. Please log in with Azure Tools for IntelliJ plugin in the IDE."| The Credential was not able to locate the cached token to use for authentication. | Ensure that you login on the Azure Tools for IntelliJ plugin, that will populate the cache for the credential to pick up.

## Troubleshoot `AzurePipelinesCredential` authentication issues

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this meant to be empty ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, waiting on copy from @KarishmaGhiya.

billwert
billwert commented May 22, 2024
View reviewed changes
sdk/identity/azure-identity/src/test/java/com/azure/identity/recorded/IdentityTestBase.java Outdated
@@ -62,7 +62,7 @@ HttpPipeline getHttpPipeline(HttpClient httpClient) {
if (interceptorManager.isPlaybackMode()) {
List<TestProxyRequestMatcher> customMatchers = new ArrayList<>();
customMatchers.add(new BodilessMatcher());
customMatchers.add(new CustomMatcher().setExcludedHeaders(Collections.singletonList("X-MRC-CV")));
customMatchers.add(new CustomMatcher().setExcludedHeaders(Arrays.asList("X-MRC-CV", "x-client-CPU")));
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This actually snuck in from another PR; will remove it.

g2vinay
g2vinay reviewed May 23, 2024
View reviewed changes
sdk/identity/azure-identity/src/main/java/com/azure/identity/AzurePipelinesCredential.java
if (client == null) {
HttpClient.createDefault();
}
HttpPipeline pipeline = IdentityClientBase.setupPipeline(client, identityClientOptions);
Copy link
Member

@g2vinay g2vinay May 23, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should refactor this to utilize/reuse a single instance of Pipeline from IdentityClientBase.
This is not consistent with the pattern of single pipeline instance per client with other SDKs.
One way, is to make this a Function<HttpPipeline, Supplier<String>>, apply the function in IdentityClient when assertion is needed to be passed to msal.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will look at this in a refactor before GA.

g2vinay
g2vinay reviewed May 23, 2024
View reviewed changes
sdk/identity/azure-identity/src/main/java/com/azure/identity/AzurePipelinesCredential.java
}
HttpPipeline pipeline = IdentityClientBase.setupPipeline(client, identityClientOptions);
try {
URL url = new URL(requestUrl);
Copy link
Member

@g2vinay g2vinay May 23, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is all impl logic, it can be moved to IdentityClientBase and accessed directly there with the pipeline instance in the client.

g2vinay
g2vinay reviewed May 23, 2024
View reviewed changes
sdk/identity/azure-identity/CHANGELOG.md Outdated
@@ -3,6 +3,7 @@
## 1.13.0-beta.1 (Unreleased)

### Features Added
- Added `AzurePipelinesCredential`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can elaborate on what use case this credential solves as a one liner here.

@billwert
Copy link
Contributor Author

/azp run java - identity

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@scottaddie
Copy link
Member

@billwert Please also add a row for the new credential type to the top of this table: https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/README.md#authenticate-service-principals

@billwert
Copy link
Contributor Author

@billwert Please also add a row for the new credential type to the top of this table: https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/README.md#authenticate-service-principals

done.

@billwert billwert force-pushed the identity-azure-pipelines-service-connection branch from d6bb253 to 50c6f45 Compare May 23, 2024 22:17
scottaddie
scottaddie reviewed May 23, 2024
View reviewed changes
sdk/identity/azure-identity/CHANGELOG.md Outdated
@@ -3,6 +3,7 @@
## 1.13.0-beta.1 (Unreleased)

### Features Added
- Added `AzurePipelinesCredential` to support [Microsoft Entra Workload ID](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll want to add something like "in Azure Pipelines service connections" at the end of this sentence.

@billwert billwert enabled auto-merge (squash) May 23, 2024 22:46
@billwert billwert merged commit ead0569 into Azure:main May 23, 2024
19 checks passed
@billwert billwert deleted the identity-azure-pipelines-service-connection branch May 24, 2024 00:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scottaddie scottaddie scottaddie left review comments

@g2vinay g2vinay g2vinay approved these changes

@joshfree joshfree Awaiting requested review from joshfree joshfree is a code owner

@maorleger maorleger Awaiting requested review from maorleger maorleger is a code owner automatically assigned from Azure/azure-sdk-write-identity

@pvaneck pvaneck Awaiting requested review from pvaneck pvaneck is a code owner automatically assigned from Azure/azure-sdk-write-identity

@KarishmaGhiya KarishmaGhiya Awaiting requested review from KarishmaGhiya KarishmaGhiya is a code owner automatically assigned from Azure/azure-sdk-write-identity

@xiangyan99 xiangyan99 Awaiting requested review from xiangyan99 xiangyan99 is a code owner automatically assigned from Azure/azure-sdk-write-identity

Assignees
No one assigned
Labels
Azure.Identity
Projects
Azure Identity SDK Improvements
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Support for Workload Identity Federation for Azure Service Connections
4 participants
@billwert @azure-sdk @scottaddie @g2vinay