Skip to content

Adds FederatedIdentityCredentials (FICS) request builders to Graph Client #1086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wbreza merged 15 commits into from
Nov 8, 2022
Merged

Adds FederatedIdentityCredentials (FICS) request builders to Graph Client #1086

wbreza merged 15 commits into from
Nov 8, 2022

Conversation

@wbreza
Copy link
Contributor

@wbreza wbreza commented Nov 3, 2022
edited by puicchan
Loading

Addresses #408

  • Adds request builders to manage federated identity credentials (fics) to Azure AD Graph applications.
  • Adds new --auth-type flag for azd pipeline config. Valid values: federated, client-credentials
  • Defaults github auth to Federated
  • Updates Github pipeline provider for Federated support

When auth type is Federated in a valid configuration, azd will create a federated identity credential on the new/updated service principal for the following subjects:

  • repo:${REPO}:ref:refs/heads/main
  • repo:${REPO}:pull_request

References

Pipeline providers

Github

Auth Default: Federated
Supported Auth: Federated, ClientCredentials

Github secret configuration is different between Federated and ClientCredentials. The github workflow has been setup to test which secrets have been defined and then use the correct version of the az login command.

Azure DevOps

Auth Default: ClientCredentials
Supported Auth: ClientCredentials

Display error if --auth-type is explicitly set to Federated**(not supported)**

Provision Providers

Bicep

Auth Default: Federated
Supported Auth: Federated, ClientCredentials

Terraform

Auth Default: ClientSecret
Supported Auth: ClientCredentials

Display warning if --auth-type isn't defined (falling back to ClientCredentials)
Display error if --auth-type is explicitly set to Federated**(not supported)**

@ghost ghost assigned wbreza Nov 3, 2022
@wbreza wbreza changed the title Adds FederatedIdentityCredentials request builders to Graph Client Adds FederatedIdentityCredentials (FICS) request builders to Graph Client Nov 3, 2022
weikanglim
weikanglim reviewed Nov 4, 2022
View reviewed changes
@weikanglim
Copy link
Contributor

weikanglim commented Nov 4, 2022

Do you have a link to the issue that describes the requirements? Are we creating the oidc application or are we using one that is user-provided?

weikanglim
weikanglim reviewed Nov 4, 2022
View reviewed changes
weikanglim
weikanglim reviewed Nov 4, 2022
View reviewed changes
weikanglim
weikanglim reviewed Nov 4, 2022
View reviewed changes
weikanglim
weikanglim reviewed Nov 4, 2022
View reviewed changes
weikanglim
weikanglim reviewed Nov 4, 2022
View reviewed changes
weikanglim
weikanglim reviewed Nov 4, 2022
View reviewed changes
@wbreza wbreza added this to the Backlog milestone Nov 7, 2022
@wbreza
Copy link
Contributor Author

wbreza commented Nov 7, 2022
edited
Loading

Do you have a link to the issue that describes the requirements? Are we creating the oidc application or are we using one that is user-provided?

Mentioned issue #408

@wbreza wbreza marked this pull request as ready for review November 7, 2022 22:23
vhvb1989
vhvb1989 reviewed Nov 7, 2022
View reviewed changes
jongio
jongio reviewed Nov 8, 2022
View reviewed changes
jongio
jongio reviewed Nov 8, 2022
View reviewed changes
jongio
jongio approved these changes Nov 8, 2022
View reviewed changes
Copy link
Member

@jongio jongio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested on Windows and todo-java-mongo. Works great!

vhvb1989
vhvb1989 reviewed Nov 8, 2022
View reviewed changes
@azure-sdk
Copy link
Collaborator

azure-sdk commented Nov 8, 2022

Repoman Generation Results

Repoman pushed changes to remotes for the following projects:

Project: todo-csharp-cosmos-sql

Remote: azure-samples-staging

Branch: pr/1086

You can initialize this project with:

azd init -t Azure-Samples/todo-csharp-cosmos-sql -b pr/1086

View Changes | Compare Changes

Project: todo-csharp-sql-swa-func

Remote: azure-samples-staging

Branch: pr/1086

You can initialize this project with:

azd init -t Azure-Samples/todo-csharp-sql-swa-func -b pr/1086

View Changes | Compare Changes

Project: todo-csharp-sql

Remote: azure-samples-staging

Branch: pr/1086

You can initialize this project with:

azd init -t Azure-Samples/todo-csharp-sql -b pr/1086

View Changes | Compare Changes

Project: todo-java-mongo-aca

Remote: azure-samples-staging

Branch: pr/1086

You can initialize this project with:

azd init -t Azure-Samples/todo-java-mongo-aca -b pr/1086

View Changes | Compare Changes

Project: todo-java-mongo

Remote: azure-samples-staging

Branch: pr/1086

You can initialize this project with:

azd init -t Azure-Samples/todo-java-mongo -b pr/1086

View Changes | Compare Changes

Project: todo-nodejs-mongo-aca

Remote: azure-samples-staging

Branch: pr/1086

You can initialize this project with:

azd init -t Azure-Samples/todo-nodejs-mongo-aca -b pr/1086

View Changes | Compare Changes

Project: todo-nodejs-mongo-swa-func

Remote: azure-samples-staging

Branch: pr/1086

You can initialize this project with:

azd init -t Azure-Samples/todo-nodejs-mongo-swa-func -b pr/1086

View Changes | Compare Changes

Project: todo-nodejs-mongo

Remote: azure-samples-staging

Branch: pr/1086

You can initialize this project with:

azd init -t Azure-Samples/todo-nodejs-mongo -b pr/1086

View Changes | Compare Changes

Project: todo-python-mongo-aca

Remote: azure-samples-staging

Branch: pr/1086

You can initialize this project with:

azd init -t Azure-Samples/todo-python-mongo-aca -b pr/1086

View Changes | Compare Changes

Project: todo-python-mongo-swa-func

Remote: azure-samples-staging

Branch: pr/1086

You can initialize this project with:

azd init -t Azure-Samples/todo-python-mongo-swa-func -b pr/1086

View Changes | Compare Changes

Project: todo-python-mongo

Remote: azure-samples-staging

Branch: pr/1086

You can initialize this project with:

azd init -t Azure-Samples/todo-python-mongo -b pr/1086

View Changes | Compare Changes

@azure-sdk
Copy link
Collaborator

azure-sdk commented Nov 8, 2022

Azure Dev CLI Install Instructions

Install scripts

MacOS/Linux

May elevate using sudo on some platforms and configurations

bash:

curl -fsSL https://azuresdkreleasepreview.blob.core.windows.net/azd/standalone/pr/1086/uninstall-azd.sh | bash;
curl -fsSL https://azuresdkreleasepreview.blob.core.windows.net/azd/standalone/pr/1086/install-azd.sh | bash -s -- --base-url https://azuresdkreleasepreview.blob.core.windows.net/azd/standalone/pr/1086 --version '' --verbose

pwsh:

Invoke-RestMethod 'https://azuresdkreleasepreview.blob.core.windows.net/azd/standalone/pr/1086/uninstall-azd.ps1' -OutFile uninstall-azd.ps1; ./uninstall-azd.ps1
Invoke-RestMethod 'https://azuresdkreleasepreview.blob.core.windows.net/azd/standalone/pr/1086/install-azd.ps1' -OutFile install-azd.ps1; ./install-azd.ps1 -BaseUrl 'https://azuresdkreleasepreview.blob.core.windows.net/azd/standalone/pr/1086' -Version '' -Verbose

Windows

powershell -c "Set-ExecutionPolicy Bypass Process; irm 'https://azuresdkreleasepreview.blob.core.windows.net/azd/standalone/pr/1086/uninstall-azd.ps1' > uninstall-azd.ps1; ./uninstall-azd.ps1;"
powershell -c "Set-ExecutionPolicy Bypass Process; irm 'https://azuresdkreleasepreview.blob.core.windows.net/azd/standalone/pr/1086/install-azd.ps1' > install-azd.ps1; ./install-azd.ps1 -BaseUrl 'https://azuresdkreleasepreview.blob.core.windows.net/azd/standalone/pr/1086' -Version '' -Verbose;"

Standalone Binary

Container

docker run -it azdevcliextacr.azurecr.io/azure-dev:pr-1086

ellismg
ellismg approved these changes Nov 8, 2022
View reviewed changes
Copy link
Member

@ellismg ellismg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome to see this coming online! Code changes look great. A small question about the pipeline configuration. Excited for our secret-less future!

vhvb1989
vhvb1989 approved these changes Nov 8, 2022
View reviewed changes
Copy link
Member

@vhvb1989 vhvb1989 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! thank you!

@wbreza wbreza merged commit 1431693 into Azure:main Nov 8, 2022
@wbreza wbreza deleted the graph-fics branch November 8, 2022 23:39
@wbreza wbreza mentioned this pull request Nov 14, 2022
Closed
This was referenced Jan 16, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weikanglim weikanglim weikanglim left review comments

@jongio jongio jongio approved these changes

@ellismg ellismg ellismg approved these changes

@vhvb1989 vhvb1989 vhvb1989 approved these changes

@hemarina hemarina Awaiting requested review from hemarina hemarina is a code owner

Assignees

@wbreza wbreza

Labels

cli feature

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

6 participants

@wbreza @weikanglim @azure-sdk @jongio @ellismg @vhvb1989