From d4356d43aa3dc6f213efcb6b737add6de3468179 Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Mon, 28 Oct 2024 08:06:52 -0700 Subject: [PATCH 1/9] update federated auth config --- sdk/identity/ci.yml | 7 ++++++- sdk/identity/test-resources-post.ps1 | 1 - sdk/identity/test-resources-pre.ps1 | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/sdk/identity/ci.yml b/sdk/identity/ci.yml index a9be537aebd44..460a03ab1f49c 100644 --- a/sdk/identity/ci.yml +++ b/sdk/identity/ci.yml @@ -74,14 +74,19 @@ extends: CalledFromClient: true ServiceDirectory: identity SupportedClouds: 'Public,UsGov,China' - UseFederatedAuth: false EnvVars: SYSTEM_ACCESSTOKEN: $(System.AccessToken) + ARM_OIDC_TOKEN: $(ARM_OIDC_TOKEN) + ARM_CLIENT_ID: $(ARM_CLIENT_ID) + ARM_TENANT_ID: $(ARM_TENANT_ID) CloudConfig: Public: SubscriptionConfigurations: - $(sub-config-azure-cloud-test-resources) - $(sub-config-identity-test-resources) + ServiceConnection: azure-sdk-tests + SubscriptionConfigurationFilePaths: + - eng/common/TestResources/sub-config/AzurePublicMsft.json Artifacts: - name: azure-identity groupId: com.azure diff --git a/sdk/identity/test-resources-post.ps1 b/sdk/identity/test-resources-post.ps1 index ed0624e1abfc0..847fa5d02f543 100644 --- a/sdk/identity/test-resources-post.ps1 +++ b/sdk/identity/test-resources-post.ps1 @@ -42,7 +42,6 @@ $azBuildToolsRootPom = "$PSScriptRoot/../../eng/code-quality-reports/pom.xml" | $funcAppRoot = "$PSScriptRoot/live-test-apps/identity-test-function" | Resolve-Path $funcAppPom = "$funcAppRoot/pom.xml" | Resolve-Path -az login --service-principal -u $(getVariable('IDENTITY_CLIENT_ID')) -p $(getVariable('IDENTITY_CLIENT_SECRET')) --tenant $(getVariable('IDENTITY_TENANT_ID')) az account set --subscription $(getVariable('IDENTITY_SUBSCRIPTION_ID')) diff --git a/sdk/identity/test-resources-pre.ps1 b/sdk/identity/test-resources-pre.ps1 index 86029479d2b00..3ec8eeee0c4c6 100644 --- a/sdk/identity/test-resources-pre.ps1 +++ b/sdk/identity/test-resources-pre.ps1 @@ -27,7 +27,7 @@ $sshKey = Get-Content $PSScriptRoot/sshKey.pub $templateFileParameters['sshPubKey'] = $sshKey # Get the max version that is not preview and then get the name of the patch version with the max value -az login --service-principal -u $TestApplicationId -p $TestApplicationSecret --tenant $TenantId +az login --service-principal -u $TestApplicationId -p $TestApplicationSecret --tenant $TenantId --allow-no-subscriptions --federated-token $env:ARM_OIDC_TOKEN $versions = az aks get-versions -l westus -o json | ConvertFrom-Json Write-Host "AKS versions: $($versions | ConvertTo-Json -Depth 100)" $patchVersions = $versions.values | Where-Object { $_.isPreview -eq $null } | Select-Object -ExpandProperty patchVersions From 402c03c78df188b09f46082efe4808f3e0a75a55 Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Mon, 28 Oct 2024 08:47:18 -0700 Subject: [PATCH 2/9] update ci --- sdk/identity/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/sdk/identity/ci.yml b/sdk/identity/ci.yml index 460a03ab1f49c..6fac3236e03b0 100644 --- a/sdk/identity/ci.yml +++ b/sdk/identity/ci.yml @@ -75,7 +75,6 @@ extends: ServiceDirectory: identity SupportedClouds: 'Public,UsGov,China' EnvVars: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) ARM_OIDC_TOKEN: $(ARM_OIDC_TOKEN) ARM_CLIENT_ID: $(ARM_CLIENT_ID) ARM_TENANT_ID: $(ARM_TENANT_ID) From fc40de3b543f7e3d9721d8bf1a73ca0361db1cc6 Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Mon, 28 Oct 2024 08:55:39 -0700 Subject: [PATCH 3/9] update AKS tests --- .../src/test/java/LiveManagedIdentityTests.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sdk/identity/azure-identity/src/test/java/LiveManagedIdentityTests.java b/sdk/identity/azure-identity/src/test/java/LiveManagedIdentityTests.java index b152751ea4ea4..cce20e0bdd8f1 100644 --- a/sdk/identity/azure-identity/src/test/java/LiveManagedIdentityTests.java +++ b/sdk/identity/azure-identity/src/test/java/LiveManagedIdentityTests.java @@ -70,9 +70,9 @@ public void testManagedIdentityAksDeployment() { //Setup Env Configuration configuration = Configuration.getGlobalConfiguration().clone(); - String spClientId = configuration.get("IDENTITY_CLIENT_ID"); - String secret = configuration.get("IDENTITY_CLIENT_SECRET"); - String tenantId = configuration.get("IDENTITY_TENANT_ID"); + String spClientId = configuration.get("ARM_CLIENT_ID"); + String oidc = configuration.get("ARM_OIDC_TOKEN"); + String tenantId = configuration.get("ARM_TENANT_ID"); String resourceGroup = configuration.get("IDENTITY_RESOURCE_GROUP"); String aksCluster = configuration.get("IDENTITY_AKS_CLUSTER_NAME"); String subscriptionId = configuration.get("IDENTITY_SUBSCRIPTION_ID"); @@ -82,7 +82,7 @@ public void testManagedIdentityAksDeployment() { String azPath = runCommand(pathCommand, "az").trim(); String kubectlPath = runCommand(pathCommand, "kubectl").trim(); - runCommand(azPath, "login", "--service-principal", "-u", spClientId, "-p", secret, "--tenant", tenantId); + runCommand(azPath, "login", "--federated-token",oidc, "--service-principal", "-u", spClientId, "--tenant", tenantId); runCommand(azPath, "account", "set", "--subscription", subscriptionId); runCommand(azPath, "aks", "get-credentials", "--resource-group", resourceGroup, "--name", aksCluster, "--overwrite-existing"); From da2f6ee969b99ed06293f3f5aef5ee933c924f05 Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Mon, 28 Oct 2024 09:00:39 -0700 Subject: [PATCH 4/9] update CI yml --- sdk/identity/ci.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/sdk/identity/ci.yml b/sdk/identity/ci.yml index 6fac3236e03b0..273e7a108b5f2 100644 --- a/sdk/identity/ci.yml +++ b/sdk/identity/ci.yml @@ -83,9 +83,6 @@ extends: SubscriptionConfigurations: - $(sub-config-azure-cloud-test-resources) - $(sub-config-identity-test-resources) - ServiceConnection: azure-sdk-tests - SubscriptionConfigurationFilePaths: - - eng/common/TestResources/sub-config/AzurePublicMsft.json Artifacts: - name: azure-identity groupId: com.azure From e28ac1e87d7c84373df0ea1071d47a353a3efbe8 Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Mon, 28 Oct 2024 15:23:49 -0700 Subject: [PATCH 5/9] update ci --- sdk/identity/ci.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/sdk/identity/ci.yml b/sdk/identity/ci.yml index 273e7a108b5f2..2b507ae8749ea 100644 --- a/sdk/identity/ci.yml +++ b/sdk/identity/ci.yml @@ -71,6 +71,22 @@ extends: LiveTestStages: - template: /eng/pipelines/templates/stages/archetype-sdk-tests-isolated.yml parameters: + PreSteps: + - task: AzureCLI@2 + displayName: Set OIDC variables + env: + ARM_OIDC_TOKEN: $(ARM_OIDC_TOKEN) + ARM_CLIENT_ID: $(ARM_CLIENT_ID) + ARM_TENANT_ID: $(ARM_TENANT_ID) + inputs: + azureSubscription: azure-sdk-tests + scriptType: pscore + scriptLocation: inlineScript + addSpnToEnvironment: true + inlineScript: | + Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID;issecret=true]$($env:servicePrincipalId)" + Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID;issecret=true]$($env:tenantId)" + Write-Host "##vso[task.setvariable variable=ARM_OIDC_TOKEN;issecret=true]$($env:idToken)" CalledFromClient: true ServiceDirectory: identity SupportedClouds: 'Public,UsGov,China' From bd810b374362851a0144529eea33287407280abc Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Mon, 28 Oct 2024 15:52:15 -0700 Subject: [PATCH 6/9] update pre ps1 to use ARM user --- sdk/identity/test-resources-pre.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk/identity/test-resources-pre.ps1 b/sdk/identity/test-resources-pre.ps1 index 3ec8eeee0c4c6..c0d2b86dc7e44 100644 --- a/sdk/identity/test-resources-pre.ps1 +++ b/sdk/identity/test-resources-pre.ps1 @@ -27,7 +27,7 @@ $sshKey = Get-Content $PSScriptRoot/sshKey.pub $templateFileParameters['sshPubKey'] = $sshKey # Get the max version that is not preview and then get the name of the patch version with the max value -az login --service-principal -u $TestApplicationId -p $TestApplicationSecret --tenant $TenantId --allow-no-subscriptions --federated-token $env:ARM_OIDC_TOKEN +az login --service-principal -u $env:ARM_CLIENT_ID --tenant $env:ARM_TENANT_ID --allow-no-subscriptions --federated-token $env:ARM_OIDC_TOKEN $versions = az aks get-versions -l westus -o json | ConvertFrom-Json Write-Host "AKS versions: $($versions | ConvertTo-Json -Depth 100)" $patchVersions = $versions.values | Where-Object { $_.isPreview -eq $null } | Select-Object -ExpandProperty patchVersions From 9672d4b202cf946caa6a97a8022a5ef1fb842066 Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Mon, 28 Oct 2024 16:18:07 -0700 Subject: [PATCH 7/9] update test resources ps1 --- sdk/identity/test-resources-pre.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk/identity/test-resources-pre.ps1 b/sdk/identity/test-resources-pre.ps1 index c0d2b86dc7e44..33768b40fcabd 100644 --- a/sdk/identity/test-resources-pre.ps1 +++ b/sdk/identity/test-resources-pre.ps1 @@ -27,7 +27,7 @@ $sshKey = Get-Content $PSScriptRoot/sshKey.pub $templateFileParameters['sshPubKey'] = $sshKey # Get the max version that is not preview and then get the name of the patch version with the max value -az login --service-principal -u $env:ARM_CLIENT_ID --tenant $env:ARM_TENANT_ID --allow-no-subscriptions --federated-token $env:ARM_OIDC_TOKEN +az login --service-principal -u $TestApplicationId --tenant $TenantId --allow-no-subscriptions --federated-token $env:ARM_OIDC_TOKEN $versions = az aks get-versions -l westus -o json | ConvertFrom-Json Write-Host "AKS versions: $($versions | ConvertTo-Json -Depth 100)" $patchVersions = $versions.values | Where-Object { $_.isPreview -eq $null } | Select-Object -ExpandProperty patchVersions From 24df15fc0e9d05cd7036de753816dc7500b5f634 Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Tue, 29 Oct 2024 13:30:53 -0700 Subject: [PATCH 8/9] add persist oidc token flow --- eng/pipelines/templates/jobs/live.tests.yml | 2 ++ .../stages/archetype-sdk-tests-isolated.yml | 4 ++++ .../templates/stages/archetype-sdk-tests.yml | 3 +++ sdk/identity/ci.yml | 23 ++++--------------- sdk/identity/test-resources-post.ps1 | 2 +- sdk/identity/test-resources-pre.ps1 | 14 +++++++++-- 6 files changed, 26 insertions(+), 22 deletions(-) diff --git a/eng/pipelines/templates/jobs/live.tests.yml b/eng/pipelines/templates/jobs/live.tests.yml index 5445ed4b6e0b0..c34ca56a706b4 100644 --- a/eng/pipelines/templates/jobs/live.tests.yml +++ b/eng/pipelines/templates/jobs/live.tests.yml @@ -24,6 +24,7 @@ parameters: UseHttpFaultInjector: false OSName: UseFederatedAuth: false + PersistOidcToken: false jobs: - job: @@ -113,6 +114,7 @@ jobs: SubscriptionConfiguration: $(SubscriptionConfiguration) ArmTemplateParameters: $(ArmTemplateParameters) UseFederatedAuth: ${{ parameters.UseFederatedAuth }} + PersistOidcToken: ${{ parameters.PersistOidcToken }} ServiceConnection: ${{ parameters.CloudConfig.ServiceConnection }} SubscriptionConfigurationFilePaths: ${{ parameters.CloudConfig.SubscriptionConfigurationFilePaths }} EnvVars: diff --git a/eng/pipelines/templates/stages/archetype-sdk-tests-isolated.yml b/eng/pipelines/templates/stages/archetype-sdk-tests-isolated.yml index c29b1e7e1efc5..976a31b22e1cc 100644 --- a/eng/pipelines/templates/stages/archetype-sdk-tests-isolated.yml +++ b/eng/pipelines/templates/stages/archetype-sdk-tests-isolated.yml @@ -115,6 +115,9 @@ parameters: - name: AdditionalSparseCheckoutPaths type: object default: [] +- name: PersistOidcToken + type: boolean + default: false stages: - ${{ each cloud in parameters.CloudConfig }}: @@ -165,6 +168,7 @@ stages: TestOptions: ${{ parameters.TestOptions }} UseHttpFaultInjector: ${{ parameters.UseHttpFaultInjector }} UseFederatedAuth: ${{ parameters.UseFederatedAuth }} + PersistOidcToken: ${{ parameters.PersistOidcToken }} MatrixConfigs: # Enumerate platforms and additional platforms based on supported clouds (sparse platform<-->cloud matrix). diff --git a/eng/pipelines/templates/stages/archetype-sdk-tests.yml b/eng/pipelines/templates/stages/archetype-sdk-tests.yml index c56963a9b2f9b..d15c39c033aee 100644 --- a/eng/pipelines/templates/stages/archetype-sdk-tests.yml +++ b/eng/pipelines/templates/stages/archetype-sdk-tests.yml @@ -106,6 +106,9 @@ parameters: - name: UseFederatedAuth type: boolean default: true + - name: PersistOidcToken + type: boolean + default: false extends: template: /eng/pipelines/templates/stages/1es-redirect.yml diff --git a/sdk/identity/ci.yml b/sdk/identity/ci.yml index 2b507ae8749ea..b048c5f0f0b4f 100644 --- a/sdk/identity/ci.yml +++ b/sdk/identity/ci.yml @@ -71,29 +71,14 @@ extends: LiveTestStages: - template: /eng/pipelines/templates/stages/archetype-sdk-tests-isolated.yml parameters: - PreSteps: - - task: AzureCLI@2 - displayName: Set OIDC variables - env: - ARM_OIDC_TOKEN: $(ARM_OIDC_TOKEN) - ARM_CLIENT_ID: $(ARM_CLIENT_ID) - ARM_TENANT_ID: $(ARM_TENANT_ID) - inputs: - azureSubscription: azure-sdk-tests - scriptType: pscore - scriptLocation: inlineScript - addSpnToEnvironment: true - inlineScript: | - Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID;issecret=true]$($env:servicePrincipalId)" - Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID;issecret=true]$($env:tenantId)" - Write-Host "##vso[task.setvariable variable=ARM_OIDC_TOKEN;issecret=true]$($env:idToken)" + PersistOidcToken: true + Location: 'westus2' CalledFromClient: true ServiceDirectory: identity SupportedClouds: 'Public,UsGov,China' EnvVars: - ARM_OIDC_TOKEN: $(ARM_OIDC_TOKEN) - ARM_CLIENT_ID: $(ARM_CLIENT_ID) - ARM_TENANT_ID: $(ARM_TENANT_ID) + AZURE_TENANT_ID: $(IDENTITY_TENANT_ID) + AZURE_CLIENT_ID: $(IDENTITY_CLIENT_ID) CloudConfig: Public: SubscriptionConfigurations: diff --git a/sdk/identity/test-resources-post.ps1 b/sdk/identity/test-resources-post.ps1 index 847fa5d02f543..2fda527e2ac23 100644 --- a/sdk/identity/test-resources-post.ps1 +++ b/sdk/identity/test-resources-post.ps1 @@ -42,7 +42,7 @@ $azBuildToolsRootPom = "$PSScriptRoot/../../eng/code-quality-reports/pom.xml" | $funcAppRoot = "$PSScriptRoot/live-test-apps/identity-test-function" | Resolve-Path $funcAppPom = "$funcAppRoot/pom.xml" | Resolve-Path -az account set --subscription $(getVariable('IDENTITY_SUBSCRIPTION_ID')) +# az account set --subscription $(getVariable('IDENTITY_SUBSCRIPTION_ID')) mvn -ntp clean install -DskipTests "-Drevapi.skip=true" "-Dcheckstyle.skip=true" "-Dcodesnippet.skip=true" "-Dspotbugs.skip=true" "-Dmaven.javadoc.skip=true" "-Dspotless.check.skip=true" "-Dspotless.apply.skip=true" "-Djacoco.skip=true" -f $azBuildToolsRootPom | Write-Host diff --git a/sdk/identity/test-resources-pre.ps1 b/sdk/identity/test-resources-pre.ps1 index 33768b40fcabd..f4fc86066516f 100644 --- a/sdk/identity/test-resources-pre.ps1 +++ b/sdk/identity/test-resources-pre.ps1 @@ -13,7 +13,15 @@ param ( [Parameter(ParameterSetName = 'Provisioner', Mandatory = $true)] [ValidateNotNullOrEmpty()] - [string] $TenantId + [string] $TenantId, + + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] $SubscriptionId, + + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] $Environment ) $az_version = az version @@ -27,7 +35,9 @@ $sshKey = Get-Content $PSScriptRoot/sshKey.pub $templateFileParameters['sshPubKey'] = $sshKey # Get the max version that is not preview and then get the name of the patch version with the max value -az login --service-principal -u $TestApplicationId --tenant $TenantId --allow-no-subscriptions --federated-token $env:ARM_OIDC_TOKEN +az cloud set --name $Environment +az login --service-principal -u $env:TestApplicationId --tenant $env:TenantId --allow-no-subscriptions --federated-token $env:ARM_OIDC_TOKEN +az account set --subscription $SubscriptionId $versions = az aks get-versions -l westus -o json | ConvertFrom-Json Write-Host "AKS versions: $($versions | ConvertTo-Json -Depth 100)" $patchVersions = $versions.values | Where-Object { $_.isPreview -eq $null } | Select-Object -ExpandProperty patchVersions From 08535637668ef95c3afc810be5802570d7e0bde2 Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Tue, 29 Oct 2024 13:48:03 -0700 Subject: [PATCH 9/9] update pre ps1 --- sdk/identity/test-resources-pre.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk/identity/test-resources-pre.ps1 b/sdk/identity/test-resources-pre.ps1 index f4fc86066516f..2ed7e0db88fbd 100644 --- a/sdk/identity/test-resources-pre.ps1 +++ b/sdk/identity/test-resources-pre.ps1 @@ -36,7 +36,7 @@ $templateFileParameters['sshPubKey'] = $sshKey # Get the max version that is not preview and then get the name of the patch version with the max value az cloud set --name $Environment -az login --service-principal -u $env:TestApplicationId --tenant $env:TenantId --allow-no-subscriptions --federated-token $env:ARM_OIDC_TOKEN +az login --service-principal -u $TestApplicationId --tenant $TenantId --allow-no-subscriptions --federated-token $env:ARM_OIDC_TOKEN az account set --subscription $SubscriptionId $versions = az aks get-versions -l westus -o json | ConvertFrom-Json Write-Host "AKS versions: $($versions | ConvertTo-Json -Depth 100)"