Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for OIDC to authenticate without long lived credentials #521

Closed
MartijnKooij opened this issue Jun 8, 2023 · 14 comments
Closed

Comments

@MartijnKooij
Copy link

We would like to harden the security of our Azure DevOps pipelines by removing the need for long lived access tokens.

I could try to come up with how this should work myself, but I think others have done a better job at describing that already. This feature is already available in at least GitHub and GitLab (and according to the zero trust presentation at the AWS Summit in Amsterdam many others).

The docs for this feature here on GitHub:
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

The docs for this feature on GitLab:
https://docs.gitlab.com/ee/ci/cloud_services/aws/

Currently we are considering building key rotation services to harden our security. This will be quite some effort to build and maintain and still means we are using long lived tokens.

@geekzter
Copy link

The links above pertain to GitHub Actions. This blog post explains how to get an idToken for a task. This requires a service connection configuration time change as well.

@MartijnKooij
Copy link
Author

I'm not sure if that article is relevant to my question @geekzter. Although I must admit I only skimmed through it.

My request is directed at AWS to add support for oidc inside their azure toolkit so that we can use AWS tasks in our pipeline without relying on long lived credentials.

@para0056
Copy link
Contributor

Bumping for awareness.

This would be an extremely useful feature and would be in-line with AWS best practices to use temporary credentials whenever possible.

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-workloads-use-roles

@jackmtpt
Copy link

Not having this makes AWS feel like a downgrade from Azure

@davidcorrigan714
Copy link

Starting to poke at implementing this and almost have it working with the CLI task which I'm guessing will mean all the typescript based tasks will fall into line and I can start getting feedback on the implementation from everyone, especially whoever is maintaining this code on the AWS side.

The most annoying part is going to be documenting how to configure AWS with the proper claims for the OIDC token. Microsoft didn't quite finish the OIDC support for third party service connection extensions last year so it works, but it's not as nice as it should be - like not having a nice way to show the user the JWT claims in the service connection configuration panel 🤦‍♂️.

@davidcorrigan714
Copy link

Seems to work nicely, handful of things to clean up & I need to do the powershell side then I can put up a PR. Here's what I got so far though:

Service Connection with no credentials:
image

The task gets an OIDC token to authenticate to AWS which authenticates to OIDC provider & roles I configured in AWS:
image

@HenrikStanley
Copy link

HenrikStanley commented Apr 22, 2024

We are looking into this issue as well and need support for OIDC.

I can see that Laurens Knoll from Xebia has managed to make it work using the Azure DevOps OIDC provider for OIDC with GCP.

Described in this blogpost
https://xebia.com/blog/how-to-configure-google-cloud-workload-identity-federation-for-azure-devops/

The Azure DevOps plugin is on GH.
The same method for getting the idToken from the Azure DevOps provider should be possible.
https://github.com/binxio/azure-devops-extensions/tree/master/google/google-cloud-auth/tasks/gcp-wif-auth

@davidcorrigan714
If you need anyone to review a PR, I would be happy to give it a look

@davidcorrigan714
Copy link

Yup, that's how it all works. Microsoft's code has been on GH for over a year now iirc as they were developing it for Azure tasks throughout all last year. Hit some snags on Friday making sure the plugin still works on-prem without OIDC, my solution isn't quite as awesome as I'd like but I think it'll suffice. Need to update the README.md file then I'll open a PR. Unfortunately their docs are no longer sourced from GH so hopefully someone from AWS can update the official User Guide too.

@davidcorrigan714
Copy link

davidcorrigan714 commented Apr 22, 2024

@HenrikStanley You're welcome to checkout my WIP here. Skimming it I've got some other code tidying up todo, and seems my VSCode formatting settings made some unnecessary formatting changes I'll probably back-out to declutter the PR.

@dilv0055
Copy link

@davidcorrigan714 - Thanks for the update. May i know when can we expect this feature roled-out to Azure DevOps marketplace extension to set our roadmap? Appreciate your help here.

@rbbarad
Copy link
Contributor

rbbarad commented Aug 2, 2024

Support for OIDC has been added in PR #558 and released with v1.15.0 of the Toolkit!

@rbbarad rbbarad closed this as completed Aug 2, 2024
@davidcorrigan714
Copy link

Thanks @rbbarad and @ROunofF !

@cal5barton
Copy link

This is great and all but when will the docs be updated to help end users set up the service connection with the new OIDC feature?

@para0056
Copy link
Contributor

para0056 commented Oct 1, 2024

I just added some additional documentation along with a sample CFN template to get people started.
#567

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants