From 84e864a05ac415109b32a8eb91d4bb752f5ac7c7 Mon Sep 17 00:00:00 2001
From: Matt Boersma <Matt.Boersma@microsoft.com>
Date: Wed, 10 Jul 2024 13:02:35 -0600
Subject: [PATCH] Allow Azure auth with federated token in scripts

---
 .../.pipelines/delete-storage-account.yaml    |  6 +++++-
 .../packer/azure/.pipelines/generate-sas.yaml |  9 +++++++--
 .../packer/azure/.pipelines/test-vhd.yaml     |  6 +++++-
 .../azure/scripts/delete-unused-storage.sh    | 19 ++++++++++++-------
 images/capi/packer/azure/scripts/init-sig.sh  |  6 +++++-
 images/capi/packer/azure/scripts/init-vhd.sh  |  8 +++++++-
 images/capi/scripts/ci-azure-e2e.sh           |  6 +++++-
 7 files changed, 46 insertions(+), 14 deletions(-)

diff --git a/images/capi/packer/azure/.pipelines/delete-storage-account.yaml b/images/capi/packer/azure/.pipelines/delete-storage-account.yaml
index eacda2222d..7cf48465a1 100644
--- a/images/capi/packer/azure/.pipelines/delete-storage-account.yaml
+++ b/images/capi/packer/azure/.pipelines/delete-storage-account.yaml
@@ -3,7 +3,11 @@ steps:
       set -o pipefail
       RESOURCE_GROUP_NAME=$(jq -r '.builds[-1].custom_data.resource_group_name' manifest.json | cut -d ":" -f2)
       STORAGE_ACCOUNT_NAME=$(jq -r '.builds[-1].custom_data.storage_account_name' manifest.json | cut -d ":" -f2)
-      az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID}
+      if [[ -n "${AZURE_FEDERATED_TOKEN_FILE:-}" ]]; then
+        az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" --federated-token "$(cat "${AZURE_FEDERATED_TOKEN_FILE}")"
+      else
+        az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" -p "${AZURE_CLIENT_SECRET}"
+      fi
       az account set -s ${AZURE_SUBSCRIPTION_ID}
       az storage account delete -n ${STORAGE_ACCOUNT_NAME} -g ${RESOURCE_GROUP_NAME} --yes
   displayName: cleanup - delete storage account
diff --git a/images/capi/packer/azure/.pipelines/generate-sas.yaml b/images/capi/packer/azure/.pipelines/generate-sas.yaml
index 0cddefd793..de0355e541 100644
--- a/images/capi/packer/azure/.pipelines/generate-sas.yaml
+++ b/images/capi/packer/azure/.pipelines/generate-sas.yaml
@@ -8,12 +8,17 @@ steps:
       printf "${OS_DISK_URI}" | tee packer/azure/vhd-base-url.out
       printf "${OS_DISK_URI}?" | tee packer/azure/vhd-url.out
       printf "${RESOURCE_GROUP_NAME}" | tee packer/azure/resource-group-name.out
-      az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID}
+      if [[ -n "${AZURE_FEDERATED_TOKEN_FILE:-}" ]]; then
+        az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" --federated-token "$(cat "${AZURE_FEDERATED_TOKEN_FILE}")"
+        export ENABLE_AUTH_MODE_LOGIN="true"   # Use --auth-mode "login" in az storage commands.
+      else
+        az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" -p "${AZURE_CLIENT_SECRET}"
+      fi
       az account set -s ${AZURE_SUBSCRIPTION_ID}
       ACCOUNT_KEY=$(az storage account keys list -g ${RESOURCE_GROUP_NAME} --subscription ${AZURE_SUBSCRIPTION_ID} --account-name ${STORAGE_ACCOUNT_NAME} --query '[0].value')
       start_date=$(date +"%Y-%m-%dT00:00Z" -d "-1 day")
       expiry_date=$(date +"%Y-%m-%dT00:00Z" -d "+1 year")
-      az storage container generate-sas --name system --permissions lr --account-name ${STORAGE_ACCOUNT_NAME} --account-key ${ACCOUNT_KEY} --start $start_date --expiry $expiry_date | tr -d '\"' | tee -a packer/azure/vhd-url.out
+      az storage container generate-sas ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} --name system --permissions lr --account-name ${STORAGE_ACCOUNT_NAME} --account-key ${ACCOUNT_KEY} --start $start_date --expiry $expiry_date | tr -d '\"' | tee -a packer/azure/vhd-url.out
   displayName: Getting OS VHD URL
   workingDirectory: '$(system.defaultWorkingDirectory)/images/capi'
   condition: eq(variables.CLEANUP, 'False')
diff --git a/images/capi/packer/azure/.pipelines/test-vhd.yaml b/images/capi/packer/azure/.pipelines/test-vhd.yaml
index d2153e2126..22aa50ef38 100644
--- a/images/capi/packer/azure/.pipelines/test-vhd.yaml
+++ b/images/capi/packer/azure/.pipelines/test-vhd.yaml
@@ -45,7 +45,11 @@ jobs:
       echo "${RESOURCE_GROUP}" is the group
 
       # Azure CLI login
-      az login -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET --service-principal --tenant $AZURE_TENANT_ID
+      if [[ -n "${AZURE_FEDERATED_TOKEN_FILE:-}" ]]; then
+        az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" --federated-token "$(cat "${AZURE_FEDERATED_TOKEN_FILE}")"
+      else
+        az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" -p "${AZURE_CLIENT_SECRET}"
+      fi
 
       # Find the VHD blob location from its storage account
       AZURE_LOCATION=$(az storage account show --name "${STORAGE_ACCOUNT_NAME}" --query '[location]' -o tsv)
diff --git a/images/capi/packer/azure/scripts/delete-unused-storage.sh b/images/capi/packer/azure/scripts/delete-unused-storage.sh
index 36d2f4c050..8cee562ed2 100755
--- a/images/capi/packer/azure/scripts/delete-unused-storage.sh
+++ b/images/capi/packer/azure/scripts/delete-unused-storage.sh
@@ -83,7 +83,12 @@ curl -fsSL https://github.com/devigned/pub/releases/download/${PUB_VERSION}/pub_
 export PATH=$PATH:$(pwd)
 which pub &> /dev/null || (echo "Please install pub from https://github.com/devigned/pub/releases" && exit 1)
 
-az login --service-principal -u ${AZURE_CLIENT_ID_VHD} -p ${AZURE_CLIENT_SECRET_VHD} --tenant ${AZURE_TENANT_ID_VHD}
+if [[ -n "${AZURE_FEDERATED_TOKEN_FILE:-}" ]]; then
+  az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" --federated-token "$(cat "${AZURE_FEDERATED_TOKEN_FILE}")"
+  export ENABLE_AUTH_MODE_LOGIN="true"   # Use --auth-mode "login" in az storage commands.
+else
+  az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" -p "${AZURE_CLIENT_SECRET}"
+fi
 az account set -s ${AZURE_SUBSCRIPTION_ID_VHD}
 
 # Get URLs in use by the marketplace offers
@@ -137,14 +142,14 @@ for account in $(az storage account list -g "${RESOURCE_GROUP}" -o tsv --query "
           if [[ ${url} =~ ${storage_account} ]]; then
             echo "Archiving storage account ${storage_account} (${label}) that is ${age} days old"
             # create a destination container
-            if [[ $(az storage container exists --account-name "${ARCHIVE_STORAGE_ACCOUNT}" -n "${dest_label}" -o tsv 2>/dev/null) != "True" ]]; then
-              ${ECHO} az storage container create --only-show-errors --public-access=container \
+            if [[ $(az storage container exists ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} --account-name "${ARCHIVE_STORAGE_ACCOUNT}" -n "${dest_label}" -o tsv 2>/dev/null) != "True" ]]; then
+              ${ECHO} az storage container create ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} --only-show-errors --public-access=container \
                 -n ${dest_label} -g "${RESOURCE_GROUP}" --account-name "${ARCHIVE_STORAGE_ACCOUNT}" 2>/dev/null
             fi
             # for each source container
-            for container in $(az storage container list --only-show-errors --account-name ${storage_account} --query "[].name" -o tsv 2>/dev/null); do
+            for container in $(az storage container list ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} --only-show-errors --account-name ${storage_account} --query "[].name" -o tsv 2>/dev/null); do
               # copy it to the destination container
-              ${ECHO} az storage blob copy start-batch \
+              ${ECHO} az storage blob copy start-batch ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} \
                 --account-name ${ARCHIVE_STORAGE_ACCOUNT} \
                 --destination-container ${dest_label} \
                 --destination-path ${container} \
@@ -154,9 +159,9 @@ for account in $(az storage account list -g "${RESOURCE_GROUP}" -o tsv --query "
                 2>/dev/null
             done
             # poll the target container until all blobs have "succeeded" copy status
-            for target in $(az storage blob list --account-name ${ARCHIVE_STORAGE_ACCOUNT} -c ${dest_label} --query '[].name' -o tsv 2>/dev/null); do
+            for target in $(az storage blob list ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} --account-name ${ARCHIVE_STORAGE_ACCOUNT} -c ${dest_label} --query '[].name' -o tsv 2>/dev/null); do
               while true; do
-                status=$(az storage blob show --account-name ${ARCHIVE_STORAGE_ACCOUNT} --container-name ${dest_label} --name $target -o tsv --query 'properties.copy.status' 2>/dev/null)
+                status=$(az storage blob show ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} --account-name ${ARCHIVE_STORAGE_ACCOUNT} --container-name ${dest_label} --name $target -o tsv --query 'properties.copy.status' 2>/dev/null)
                 if [[ ${status} == "success" ]]; then
                   echo "Copied ${dest_label}/${target}"
                   break
diff --git a/images/capi/packer/azure/scripts/init-sig.sh b/images/capi/packer/azure/scripts/init-sig.sh
index 587b193fc8..65120f21a6 100755
--- a/images/capi/packer/azure/scripts/init-sig.sh
+++ b/images/capi/packer/azure/scripts/init-sig.sh
@@ -4,7 +4,11 @@
 
 tracestate="$(shopt -po xtrace)"
 set +o xtrace
-az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID} >/dev/null 2>&1
+if [[ -n "${AZURE_FEDERATED_TOKEN_FILE:-}" ]]; then
+  az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" --federated-token "$(cat "${AZURE_FEDERATED_TOKEN_FILE}")" >/dev/null 2>&1
+else
+  az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" -p "${AZURE_CLIENT_SECRET}" >/dev/null 2>&1
+fi
 az account set -s ${AZURE_SUBSCRIPTION_ID} >/dev/null 2>&1
 eval "$tracestate"
 
diff --git a/images/capi/packer/azure/scripts/init-vhd.sh b/images/capi/packer/azure/scripts/init-vhd.sh
index e963f9e4d7..e0c864fe0a 100755
--- a/images/capi/packer/azure/scripts/init-vhd.sh
+++ b/images/capi/packer/azure/scripts/init-vhd.sh
@@ -5,7 +5,13 @@
 echo "Sign into Azure"
 tracestate="$(shopt -po xtrace)"
 set +o xtrace
-az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID} >/dev/null 2>&1
+
+if [[ -n "${AZURE_FEDERATED_TOKEN_FILE:-}" ]]; then
+  az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" --federated-token "$(cat "${AZURE_FEDERATED_TOKEN_FILE}")" > /dev/null 2>&1
+  export ENABLE_AUTH_MODE_LOGIN="true"   # Use --auth-mode "login" in az storage commands.
+else
+  az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" -p ${AZURE_CLIENT_SECRET} >/dev/null 2>&1
+fi
 az account set -s ${AZURE_SUBSCRIPTION_ID} >/dev/null 2>&1
 eval "$tracestate"
 
diff --git a/images/capi/scripts/ci-azure-e2e.sh b/images/capi/scripts/ci-azure-e2e.sh
index c0c91e7813..d2e6e1e6a8 100755
--- a/images/capi/scripts/ci-azure-e2e.sh
+++ b/images/capi/scripts/ci-azure-e2e.sh
@@ -88,7 +88,11 @@ trap cleanup EXIT
 make deps-azure
 
 # Latest Flatcar version is often available on Azure with a delay, so resolve ourselves
-az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID}
+if [[ -n "${AZURE_FEDERATED_TOKEN_FILE:-}" ]]; then
+  az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" --federated-token "$(cat "${AZURE_FEDERATED_TOKEN_FILE}")"
+else
+  az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" -p "${AZURE_CLIENT_SECRET}"
+fi
 get_flatcar_version() {
     az vm image show --urn kinvolk:flatcar-container-linux-free:stable:latest --query 'name' -o tsv
 }