-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for OIDC to authenticate without long lived credentials #521
Comments
The links above pertain to GitHub Actions. This blog post explains how to get an idToken for a task. This requires a service connection configuration time change as well. |
I'm not sure if that article is relevant to my question @geekzter. Although I must admit I only skimmed through it. My request is directed at AWS to add support for oidc inside their azure toolkit so that we can use AWS tasks in our pipeline without relying on long lived credentials. |
Bumping for awareness. This would be an extremely useful feature and would be in-line with AWS best practices to use temporary credentials whenever possible. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-workloads-use-roles |
Not having this makes AWS feel like a downgrade from Azure |
Starting to poke at implementing this and almost have it working with the CLI task which I'm guessing will mean all the typescript based tasks will fall into line and I can start getting feedback on the implementation from everyone, especially whoever is maintaining this code on the AWS side. The most annoying part is going to be documenting how to configure AWS with the proper claims for the OIDC token. Microsoft didn't quite finish the OIDC support for third party service connection extensions last year so it works, but it's not as nice as it should be - like not having a nice way to show the user the JWT claims in the service connection configuration panel 🤦♂️. |
We are looking into this issue as well and need support for OIDC. I can see that Laurens Knoll from Xebia has managed to make it work using the Azure DevOps OIDC provider for OIDC with GCP. Described in this blogpost The Azure DevOps plugin is on GH. @davidcorrigan714 |
Yup, that's how it all works. Microsoft's code has been on GH for over a year now iirc as they were developing it for Azure tasks throughout all last year. Hit some snags on Friday making sure the plugin still works on-prem without OIDC, my solution isn't quite as awesome as I'd like but I think it'll suffice. Need to update the README.md file then I'll open a PR. Unfortunately their docs are no longer sourced from GH so hopefully someone from AWS can update the official User Guide too. |
@HenrikStanley You're welcome to checkout my WIP here. Skimming it I've got some other code tidying up todo, and seems my VSCode formatting settings made some unnecessary formatting changes I'll probably back-out to declutter the PR. |
@davidcorrigan714 - Thanks for the update. May i know when can we expect this feature roled-out to Azure DevOps marketplace extension to set our roadmap? Appreciate your help here. |
Support for OIDC has been added in PR #558 and released with v1.15.0 of the Toolkit! |
This is great and all but when will the docs be updated to help end users set up the service connection with the new OIDC feature? |
I just added some additional documentation along with a sample CFN template to get people started. |
We would like to harden the security of our Azure DevOps pipelines by removing the need for long lived access tokens.
I could try to come up with how this should work myself, but I think others have done a better job at describing that already. This feature is already available in at least GitHub and GitLab (and according to the zero trust presentation at the AWS Summit in Amsterdam many others).
The docs for this feature here on GitHub:
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
The docs for this feature on GitLab:
https://docs.gitlab.com/ee/ci/cloud_services/aws/
Currently we are considering building key rotation services to harden our security. This will be quite some effort to build and maintain and still means we are using long lived tokens.
The text was updated successfully, but these errors were encountered: