Support Managed Service Identity KeyVault access for Self-Hosted Runners #11
Comments
|
Thanks Aaron. Please feel free to contribute. |
|
Take a look at https://www.npmjs.com/package/@azure/keyvault-secrets. Our new libraries support easier authentication including MSI. This would also reduce maintenance costs with the helper classes you've defined. See https://www.npmjs.com/package/@azure/keyvault-secrets#getting-a-secret for a simple example. |
|
I'm going to start work on this and add tests since our libraries also make it easy to mock the clients. |
I did some more research on this, and isn’t it possible to just have this work if we login with az login —identity from the Azure Login task. Hopefully the creds would flow through? It would be great to have tests too. |
|
That feature work is planned. |
|
It's also work pointing out that a separate login step really isn't necessary since the clients will authenticate automatically as needed. A custom TokenCredential too read the same format could be added to a ChainedTokenCredential along with DefaultAzureCredential to be back-compat. This is what I was planning in the interim. That TokenCredential could also go in the shared lib. |
|
@actions-devops how are you running the agent as an MSI? I would like to set up a repro/test environment but haven't been able to figure out how to do this. Or it just to run "az login" using MSI? |
|
@actions-devops/ @aaronba any inputs here? |
|
This issue is idle because it has been open for 14 days with no activity. |
It would be helpful for this action to support Managed Service Identity (MSI) access to KeyVault for Self-Hosted runners running this GitHub action. This could reduce the need to store cloud secrets in GitHub secrets in order to access Azure KeyVault resources.
If I figure out how to do this I will submit a PR with this change.
Thanks,
Aaron
The text was updated successfully, but these errors were encountered: