Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarification on use of user-assigned managed identity and github-hosted runners #489

Open
matsest opened this issue Sep 29, 2024 · 4 comments
Open

Clarification on use of user-assigned managed identity and github-hosted runners #489

matsest opened this issue Sep 29, 2024 · 4 comments
Labels
question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@matsest
Copy link

matsest commented Sep 29, 2024

The content of this action's README is conflicting with official guidance on MS Learn regarding the use of user-assigned managed identities (UAMI). The documentation listed above gives example of workflow to use with github-hosted runners and UAMI.

The README in the repo, however, states:

"Login With User-assigned Managed Identity" is only supported on GitHub self-hosted runners and the self-hosted runners need to be hosted by Azure virtual machines.

and gives the example

name: Run Azure Login with User-assigned Managed Identity
on: [push]

jobs:
  build-and-deploy:
    runs-on: self-hosted
    steps:
      - name: Azure login
        uses: azure/login@v2
        with:
          auth-type: IDENTITY
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          enable-AzPSSession: true

where we can see runs-on: self-hosted and auth-type: IDENTITY.

From my own testing and long-time usage I can still use UAMI and github-hosted runners with this action, when not setting auth-type to IDENTITY:

When using the same UAMI and setting auth-type: IDENTITY I get errors (see run, workflow file): Error: Failed to connect to MSI, check your managed service identity id.

This is also tested by explicitly setting auth-type: SERVICE_PRINCIPAL (see run, workflow file) which again works fine.

Based on my testing and experience with managed identities I would assume that the restriction on using auth-type: IDENTITY and self-hosted runners only really applies to system-assigned managed identities?
@matsest matsest added the need-to-triage Requires investigation label Sep 29, 2024
@matsest
Copy link
Author

matsest commented Sep 29, 2024

Related: #445, #422

@matsest matsest mentioned this issue Oct 7, 2024
Closed
@YanaXu
Copy link
Collaborator

YanaXu commented Oct 8, 2024

Hi @matsest , I think you are confusing the two methods:

If you want to use user-assigned managed identity on github-hosted runners, you can only use OIDC or SP+Secret.

The statement in login-with-user-assigned-managed-identity is correct. You can simply click the guides links to see how it works. (Just check how to configure it on Azure and GitHub.) I think your questions will be answered.

FYI, we also maintain the official guidance on MS Learn. This page official guidance on MS Learn corresponds to login-with-openid-connect-oidc. And the page Use the Azure Login action with a managed identity corresponds to login-with-system-assigned-managed-identity and login-with-user-assigned-managed-identity.

@YanaXu YanaXu added question The issue doesn't require a change to the product in order to be resolved. Most issues start as that and removed need-to-triage Requires investigation labels Oct 8, 2024
@matsest
Copy link
Author

matsest commented Oct 8, 2024

Thanks for reply @YanaXu!

I see that the method described under "Login With OpenID Connect (OIDC)" describes that it is possible to use user-assigned managed identity, which is what I am also stating in this question and what I have tested to work successfully. I guess this is more about how the README content is structured and how it matches to the documentation provided on MS Learn.

Some comments:

If you want to use user-assigned managed identity on github-hosted runners, you can only use OIDC or SP+Secret.

  1. It is inherently not possible to use SP+Secret with User Assigned Managed Identity. UAMI can't have secrets.

I think you are confusing the two methods:

login-with-openid-connect-oidc
login-with-user-assigned-managed-identity

  1. If it is meant to be a clear distinction between these methods in this action the latter should be renamed to e.g. "Login With User-Assigned Managed Identity on Azure VM". In the MS Learn docs this is explicitly stated in the sidebar as "Sign in with a managed identity configured on an Azure VM" - which makes sense and clearly separates it from the "Sign in With OpenID Connect" method. The "on an Azure VM" is the important distinction here.

image

For users who want to use 1) User-Assigned Managed Identity and 2) GitHub-hosted Runners it should be clear from the README what example in the README is relevant for them. To me the current "Login With User-Assigned Managed Identity" seems at first glance to be the relevant section, but is not the correct one (Login With OpenID Connect (OIDC) is). If the part about "Azure VM" had been more clearly stated it would be a more clear distinction.

@im-samz
Copy link

im-samz commented Nov 14, 2024

Thanks, @matsest, I was confused about the wording of the headings as well. I also agree that adding "on an Azure VM" or "self-hosted Azure VM" would be helpful :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matsest @YanaXu @im-samz