mirror of
https://github.com/azure/login.git
synced 2026-03-15 09:20:56 -04:00
Compare commits
7 Commits
master-cha
...
users/bala
| Author | SHA1 | Date | |
|---|---|---|---|
|
fd46a15100 | ||
|
|
24f48797ce | ||
|
|
4e20baabba | ||
|
|
7d999374ef | ||
|
|
41b2820dc1 | ||
|
|
84ba7c37ac | ||
|
|
e9a2085bcf |
1
.github/workflows/azure-login-pr-check.yml
vendored
1
.github/workflows/azure-login-pr-check.yml
vendored
@@ -13,7 +13,6 @@ jobs:
|
||||
- name: Checkout from PR branch
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
repository: ${{ github.event.pull_request.head.repo.full_name }}
|
||||
ref: ${{ github.event.pull_request.head.ref }}
|
||||
|
||||
# Using 12.x version as an example
|
||||
|
||||
42
README.md
42
README.md
@@ -78,19 +78,19 @@ jobs:
|
||||
|
||||
## Sample to connect to Azure US Government cloud
|
||||
|
||||
```yaml
|
||||
- name: Login to Azure US Gov Cloud with CLI
|
||||
```
|
||||
- name: Login to Azure US Gov Cloud with CLI
|
||||
uses: azure/login@v1
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_US_GOV_CREDENTIALS }}
|
||||
environment: 'AzureUSGovernment'
|
||||
enable-AzPSSession: false
|
||||
- name: Login to Azure US Gov Cloud with Az Powershell
|
||||
uses: azure/login@v1
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_US_GOV_CREDENTIALS }}
|
||||
environment: 'AzureUSGovernment'
|
||||
enable-AzPSSession: false
|
||||
- name: Login to Azure US Gov Cloud with Az Powershell
|
||||
uses: azure/login@v1
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_US_GOV_CREDENTIALS }}
|
||||
environment: 'AzureUSGovernment'
|
||||
enable-AzPSSession: true
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_US_GOV_CREDENTIALS }}
|
||||
environment: 'AzureUSGovernment'
|
||||
enable-AzPSSession: true
|
||||
```
|
||||
|
||||
Refer to the [Azure PowerShell](https://github.com/azure/powershell) Github action to run your Azure PowerShell scripts.
|
||||
@@ -171,7 +171,7 @@ The following steps describe how to create the service principal, assign the rol
|
||||
```json
|
||||
{
|
||||
"clientId": "<GUID>",
|
||||
"clientSecret": "<CLIENT_SECRET_VALUE>",
|
||||
"clientSecret": "<GUID>",
|
||||
"subscriptionId": "<GUID>",
|
||||
"tenantId": "<GUID>",
|
||||
(...)
|
||||
@@ -183,7 +183,7 @@ The following steps describe how to create the service principal, assign the rol
|
||||
NOTE: While adding secret `AZURE_CREDENTIALS` make sure to add like this
|
||||
|
||||
{"clientId": "<GUID>",
|
||||
"clientSecret": "<CLIENT_SECRET_VALUE>",
|
||||
"clientSecret": "<GUID>",
|
||||
"subscriptionId": "<GUID>",
|
||||
"tenantId": "<GUID>",
|
||||
(...)}
|
||||
@@ -192,7 +192,7 @@ NOTE: While adding secret `AZURE_CREDENTIALS` make sure to add like this
|
||||
|
||||
{
|
||||
"clientId": "<GUID>",
|
||||
"clientSecret": "<CLIENT_SECRET_VALUE>",
|
||||
"clientSecret": "<GUID>",
|
||||
"subscriptionId": "<GUID>",
|
||||
"tenantId": "<GUID>",
|
||||
(...)
|
||||
@@ -212,18 +212,6 @@ However, a simple workaround for users who need this option can be:
|
||||
creds: '{"clientId":"${{ secrets.CLIENT_ID }}","clientSecret":"${{ secrets.CLIENT_SECRET }}","subscriptionId":"${{ secrets.SUBSCRIPTION_ID }}","tenantId":"${{ secrets.TENANT_ID }}"}'
|
||||
```
|
||||
In a similar way, any additional parameter can be addded to creds such as resourceManagerEndpointUrl for Azure Stack, for example.
|
||||
|
||||
NOTE: If you want to hand craft your JSON object instead of using the output from the CLI command (for example, after using the UI to create the App Registration and Role assignment) the following fields are required:
|
||||
```json
|
||||
{
|
||||
"clientId": "<GUID>",
|
||||
"tenantId": "<GUID>",
|
||||
"clientSecret": "<CLIENT_SECRET_VALUE>",
|
||||
"subscriptionId": "<GUID>",
|
||||
"resourceManagerEndpointUrl": "<URL>}
|
||||
```
|
||||
The resourceManagerEndpointUrl will be `https://management.azure.com/` if you are using the public azure cloud.
|
||||
|
||||
## Support for using `allow-no-subscriptions` flag with az login
|
||||
|
||||
Capability has been added to support access to tenants without subscriptions. This can be useful to run tenant level commands, such as `az ad`. The action accepts an optional parameter `allow-no-subscriptions` which is `false` by default.
|
||||
|
||||
@@ -5,7 +5,7 @@ jest.mock('../../src/PowerShell/Utilities/PowerShellToolRunner');
|
||||
let spnlogin: ServicePrincipalLogin;
|
||||
|
||||
beforeAll(() => {
|
||||
spnlogin = new ServicePrincipalLogin("servicePrincipalID", "servicePrinicipalkey", null, "tenantId", "subscriptionId", false, null, null);
|
||||
spnlogin = new ServicePrincipalLogin("servicePrincipalID", "servicePrinicipalkey", "tenantId", "subscriptionId", false, null, null);
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
|
||||
15
action.yml
15
action.yml
@@ -4,16 +4,7 @@ description: 'Authenticate to Azure and run your Az CLI or Az
|
||||
inputs:
|
||||
creds:
|
||||
description: 'Paste output of `az ad sp create-for-rbac` as value of secret variable: AZURE_CREDENTIALS'
|
||||
required: false
|
||||
client-id:
|
||||
description: 'ClientId of the Azure Service principal created.'
|
||||
required: false
|
||||
tenant-id:
|
||||
description: 'TenantId of the Azure Service principal created.'
|
||||
required: false
|
||||
subscription-id:
|
||||
description: 'Azure subscriptionId'
|
||||
required: false
|
||||
required: true
|
||||
enable-AzPSSession:
|
||||
description: 'Set this value to true to enable Azure PowerShell Login in addition to Az CLI login'
|
||||
required: false
|
||||
@@ -21,7 +12,7 @@ inputs:
|
||||
environment:
|
||||
description: 'Name of the environment. Supported values are azurecloud, azurestack, azureusgovernment, azurechinacloud, azuregermancloud. Default being azurecloud'
|
||||
required: false
|
||||
default: azurecloud
|
||||
default: AzureCloud
|
||||
allow-no-subscriptions:
|
||||
description: 'Set this value to true to enable support for accessing tenants without subscriptions'
|
||||
required: false
|
||||
@@ -31,4 +22,4 @@ branding:
|
||||
color: 'blue'
|
||||
runs:
|
||||
using: 'node12'
|
||||
main: 'lib/main.js'
|
||||
main: 'lib/main.js'
|
||||
|
||||
@@ -25,10 +25,9 @@ const PowerShellToolRunner_1 = __importDefault(require("./Utilities/PowerShellTo
|
||||
const ScriptBuilder_1 = __importDefault(require("./Utilities/ScriptBuilder"));
|
||||
const Constants_1 = __importDefault(require("./Constants"));
|
||||
class ServicePrincipalLogin {
|
||||
constructor(servicePrincipalId, servicePrincipalKey, federatedToken, tenantId, subscriptionId, allowNoSubscriptionsLogin, environment, resourceManagerEndpointUrl) {
|
||||
constructor(servicePrincipalId, servicePrincipalKey, tenantId, subscriptionId, allowNoSubscriptionsLogin, environment, resourceManagerEndpointUrl) {
|
||||
this.servicePrincipalId = servicePrincipalId;
|
||||
this.servicePrincipalKey = servicePrincipalKey;
|
||||
this.federatedToken = federatedToken;
|
||||
this.tenantId = tenantId;
|
||||
this.subscriptionId = subscriptionId;
|
||||
this.environment = environment;
|
||||
@@ -56,7 +55,6 @@ class ServicePrincipalLogin {
|
||||
const args = {
|
||||
servicePrincipalId: this.servicePrincipalId,
|
||||
servicePrincipalKey: this.servicePrincipalKey,
|
||||
federatedToken: this.federatedToken,
|
||||
subscriptionId: this.subscriptionId,
|
||||
environment: this.environment,
|
||||
scopeLevel: ServicePrincipalLogin.scopeLevel,
|
||||
|
||||
@@ -23,17 +23,9 @@ class ScriptBuilder {
|
||||
if (args.environment.toLowerCase() == "azurestack") {
|
||||
command += `Add-AzEnvironment -Name ${args.environment} -ARMEndpoint ${args.resourceManagerEndpointUrl} | out-null;`;
|
||||
}
|
||||
// Separate command script for OIDC and non-OIDC
|
||||
if (!!args.federatedToken) {
|
||||
command += `Connect-AzAccount -ServicePrincipal -ApplicationId '${args.servicePrincipalId}' -Tenant '${tenantId}' -FederatedToken '${args.federatedToken}' \
|
||||
-Environment '${args.environment}' | out-null;`;
|
||||
}
|
||||
else {
|
||||
command += `Connect-AzAccount -ServicePrincipal -Tenant '${tenantId}' -Credential \
|
||||
(New-Object System.Management.Automation.PSCredential('${args.servicePrincipalId}',(ConvertTo-SecureString '${args.servicePrincipalKey.replace("'", "''")}' -AsPlainText -Force))) \
|
||||
-Environment '${args.environment}' | out-null;`;
|
||||
}
|
||||
// command to set the subscription
|
||||
command += `Connect-AzAccount -ServicePrincipal -Tenant '${tenantId}' -Credential \
|
||||
(New-Object System.Management.Automation.PSCredential('${args.servicePrincipalId}',(ConvertTo-SecureString '${args.servicePrincipalKey.replace("'", "''")}' -AsPlainText -Force))) \
|
||||
-Environment '${args.environment}' | out-null;`;
|
||||
if (args.scopeLevel === Constants_1.default.Subscription && !args.allowNoSubscriptionsLogin) {
|
||||
command += `Set-AzContext -SubscriptionId '${args.subscriptionId}' -TenantId '${tenantId}' | out-null;`;
|
||||
}
|
||||
|
||||
92
lib/main.js
92
lib/main.js
@@ -36,7 +36,6 @@ function main() {
|
||||
core.exportVariable('AZURE_HTTP_USER_AGENT', userAgentString);
|
||||
core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azurePSHostEnv);
|
||||
azPath = yield io.which("az", true);
|
||||
core.debug(`az cli version used: ${azPath}`);
|
||||
let azureSupportedCloudName = new Set([
|
||||
"azureusgovernment",
|
||||
"azurechinacloud",
|
||||
@@ -54,64 +53,25 @@ function main() {
|
||||
};
|
||||
yield executeAzCliCommand("--version", true, execOptions);
|
||||
core.debug(`az cli version used:\n${output}`);
|
||||
let creds = core.getInput('creds', { required: false });
|
||||
let secrets = creds ? new actions_secret_parser_1.SecretParser(creds, actions_secret_parser_1.FormatType.JSON) : null;
|
||||
let creds = core.getInput('creds', { required: true });
|
||||
let secrets = new actions_secret_parser_1.SecretParser(creds, actions_secret_parser_1.FormatType.JSON);
|
||||
let servicePrincipalId = secrets.getSecret("$.clientId", false);
|
||||
let servicePrincipalKey = secrets.getSecret("$.clientSecret", true);
|
||||
let tenantId = secrets.getSecret("$.tenantId", false);
|
||||
let subscriptionId = secrets.getSecret("$.subscriptionId", false);
|
||||
let resourceManagerEndpointUrl = secrets.getSecret("$.resourceManagerEndpointUrl", false);
|
||||
let environment = core.getInput("environment").toLowerCase();
|
||||
const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true";
|
||||
const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";
|
||||
//Check for the credentials in individual parameters in the workflow.
|
||||
var servicePrincipalId = core.getInput('client-id', { required: false });
|
||||
;
|
||||
var servicePrincipalKey = null;
|
||||
var tenantId = core.getInput('tenant-id', { required: false });
|
||||
var subscriptionId = core.getInput('subscription-id', { required: false });
|
||||
var resourceManagerEndpointUrl = "https://management.azure.com/";
|
||||
var enableOIDC = true;
|
||||
var federatedToken = null;
|
||||
// If any of the individual credentials (clent_id, tenat_id, subscription_id) is present.
|
||||
if (servicePrincipalId || tenantId || subscriptionId) {
|
||||
//If few of the individual credentials (clent_id, tenat_id, subscription_id) are missing in action inputs.
|
||||
if (!(servicePrincipalId && tenantId && (subscriptionId || allowNoSubscriptionsLogin)))
|
||||
throw new Error("Few credentials are missing. ClientId,tenantId are mandatory. SubscriptionId is also mandatory if allow-no-subscriptions is not set.");
|
||||
}
|
||||
else {
|
||||
if (creds) {
|
||||
core.debug('using creds JSON...');
|
||||
enableOIDC = false;
|
||||
servicePrincipalId = secrets.getSecret("$.clientId", true);
|
||||
servicePrincipalKey = secrets.getSecret("$.clientSecret", true);
|
||||
tenantId = secrets.getSecret("$.tenantId", true);
|
||||
subscriptionId = secrets.getSecret("$.subscriptionId", true);
|
||||
resourceManagerEndpointUrl = secrets.getSecret("$.resourceManagerEndpointUrl", false);
|
||||
}
|
||||
else {
|
||||
throw new Error("Credentials are not passed for Login action.");
|
||||
}
|
||||
}
|
||||
//generic checks
|
||||
//servicePrincipalKey is only required in non-oidc scenario.
|
||||
if (!servicePrincipalId || !tenantId || !(servicePrincipalKey || enableOIDC)) {
|
||||
throw new Error("Not all values are present in the credentials. Ensure clientId, clientSecret and tenantId are supplied.");
|
||||
if (!servicePrincipalId || !servicePrincipalKey || !tenantId) {
|
||||
throw new Error("Not all values are present in the creds object. Ensure clientId, clientSecret and tenantId are supplied.");
|
||||
}
|
||||
if (!subscriptionId && !allowNoSubscriptionsLogin) {
|
||||
throw new Error("Not all values are present in the credentials. Ensure subscriptionId is supplied.");
|
||||
throw new Error("Not all values are present in the creds object. Ensure subscriptionId is supplied.");
|
||||
}
|
||||
if (!azureSupportedCloudName.has(environment)) {
|
||||
throw new Error("Unsupported value for environment is passed.The list of supported values for environment are ‘azureusgovernment', ‘azurechinacloud’, ‘azuregermancloud’, ‘azurecloud’ or ’azurestack’");
|
||||
}
|
||||
// OIDC specific checks
|
||||
if (enableOIDC) {
|
||||
console.log('Using OIDC authentication...');
|
||||
//generating ID-token
|
||||
federatedToken = yield core.getIDToken('api://AzureADTokenExchange');
|
||||
if (!!federatedToken) {
|
||||
if (environment != "azurecloud")
|
||||
throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
|
||||
}
|
||||
else {
|
||||
throw new Error("Could not get ID token for authentication.");
|
||||
}
|
||||
}
|
||||
// Attempting Az cli login
|
||||
if (environment == "azurestack") {
|
||||
if (!resourceManagerEndpointUrl) {
|
||||
@@ -144,22 +104,25 @@ function main() {
|
||||
yield executeAzCliCommand(`cloud set -n "${environment}"`, false);
|
||||
console.log(`Done setting cloud: "${environment}"`);
|
||||
// Attempting Az cli login
|
||||
var commonArgs = ["--service-principal",
|
||||
"-u", servicePrincipalId,
|
||||
"--tenant", tenantId
|
||||
];
|
||||
if (allowNoSubscriptionsLogin) {
|
||||
commonArgs = commonArgs.concat("--allow-no-subscriptions");
|
||||
}
|
||||
if (enableOIDC) {
|
||||
commonArgs = commonArgs.concat("--federated-token", federatedToken);
|
||||
let args = [
|
||||
"--allow-no-subscriptions",
|
||||
"--service-principal",
|
||||
"-u", servicePrincipalId,
|
||||
"-p", servicePrincipalKey,
|
||||
"--tenant", tenantId
|
||||
];
|
||||
yield executeAzCliCommand(`login`, true, {}, args);
|
||||
}
|
||||
else {
|
||||
commonArgs = commonArgs.concat("-p", servicePrincipalKey);
|
||||
}
|
||||
yield executeAzCliCommand(`login`, true, {}, commonArgs);
|
||||
if (!allowNoSubscriptionsLogin) {
|
||||
var args = [
|
||||
let args = [
|
||||
"--service-principal",
|
||||
"-u", servicePrincipalId,
|
||||
"-p", servicePrincipalKey,
|
||||
"--tenant", tenantId
|
||||
];
|
||||
yield executeAzCliCommand(`login`, true, {}, args);
|
||||
args = [
|
||||
"--subscription",
|
||||
subscriptionId
|
||||
];
|
||||
@@ -169,8 +132,7 @@ function main() {
|
||||
if (enableAzPSSession) {
|
||||
// Attempting Az PS login
|
||||
console.log(`Running Azure PS Login`);
|
||||
var spnlogin;
|
||||
spnlogin = new ServicePrincipalLogin_1.ServicePrincipalLogin(servicePrincipalId, servicePrincipalKey, federatedToken, tenantId, subscriptionId, allowNoSubscriptionsLogin, environment, resourceManagerEndpointUrl);
|
||||
const spnlogin = new ServicePrincipalLogin_1.ServicePrincipalLogin(servicePrincipalId, servicePrincipalKey, tenantId, subscriptionId, allowNoSubscriptionsLogin, environment, resourceManagerEndpointUrl);
|
||||
yield spnlogin.initialize();
|
||||
yield spnlogin.login();
|
||||
}
|
||||
|
||||
6192
package-lock.json
generated
6192
package-lock.json
generated
File diff suppressed because it is too large
Load Diff
@@ -18,7 +18,7 @@
|
||||
"typescript": "^3.6.3"
|
||||
},
|
||||
"dependencies": {
|
||||
"@actions/core": "1.6.0",
|
||||
"@actions/core": "^1.2.6",
|
||||
"@actions/exec": "^1.0.1",
|
||||
"@actions/io": "^1.0.1",
|
||||
"actions-secret-parser": "^1.0.2"
|
||||
|
||||
@@ -15,20 +15,17 @@ export class ServicePrincipalLogin implements IAzurePowerShellSession {
|
||||
subscriptionId: string;
|
||||
resourceManagerEndpointUrl: string;
|
||||
allowNoSubscriptionsLogin: boolean;
|
||||
federatedToken: string;
|
||||
|
||||
constructor(servicePrincipalId: string,
|
||||
servicePrincipalKey: string,
|
||||
federatedToken: string,
|
||||
tenantId: string,
|
||||
constructor(servicePrincipalId: string,
|
||||
servicePrincipalKey: string,
|
||||
tenantId: string,
|
||||
subscriptionId: string,
|
||||
allowNoSubscriptionsLogin: boolean,
|
||||
environment: string,
|
||||
resourceManagerEndpointUrl: string) {
|
||||
|
||||
|
||||
this.servicePrincipalId = servicePrincipalId;
|
||||
this.servicePrincipalKey = servicePrincipalKey;
|
||||
this.federatedToken = federatedToken;
|
||||
this.tenantId = tenantId;
|
||||
this.subscriptionId = subscriptionId;
|
||||
this.environment = environment;
|
||||
@@ -55,7 +52,6 @@ export class ServicePrincipalLogin implements IAzurePowerShellSession {
|
||||
const args: any = {
|
||||
servicePrincipalId: this.servicePrincipalId,
|
||||
servicePrincipalKey: this.servicePrincipalKey,
|
||||
federatedToken: this.federatedToken,
|
||||
subscriptionId: this.subscriptionId,
|
||||
environment: this.environment,
|
||||
scopeLevel: ServicePrincipalLogin.scopeLevel,
|
||||
|
||||
@@ -8,28 +8,17 @@ export default class ScriptBuilder {
|
||||
getAzPSLoginScript(scheme: string, tenantId: string, args: any): string {
|
||||
let command = `Clear-AzContext -Scope Process;
|
||||
Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue;`;
|
||||
|
||||
if (scheme === Constants.ServicePrincipal) {
|
||||
|
||||
if (args.environment.toLowerCase() == "azurestack") {
|
||||
command += `Add-AzEnvironment -Name ${args.environment} -ARMEndpoint ${args.resourceManagerEndpointUrl} | out-null;`;
|
||||
}
|
||||
// Separate command script for OIDC and non-OIDC
|
||||
if (!!args.federatedToken) {
|
||||
command += `Connect-AzAccount -ServicePrincipal -ApplicationId '${args.servicePrincipalId}' -Tenant '${tenantId}' -FederatedToken '${args.federatedToken}' \
|
||||
-Environment '${args.environment}' | out-null;`;
|
||||
}
|
||||
else {
|
||||
command += `Connect-AzAccount -ServicePrincipal -Tenant '${tenantId}' -Credential \
|
||||
(New-Object System.Management.Automation.PSCredential('${args.servicePrincipalId}',(ConvertTo-SecureString '${args.servicePrincipalKey.replace("'", "''")}' -AsPlainText -Force))) \
|
||||
-Environment '${args.environment}' | out-null;`;
|
||||
}
|
||||
// command to set the subscription
|
||||
command += `Connect-AzAccount -ServicePrincipal -Tenant '${tenantId}' -Credential \
|
||||
(New-Object System.Management.Automation.PSCredential('${args.servicePrincipalId}',(ConvertTo-SecureString '${args.servicePrincipalKey.replace("'", "''")}' -AsPlainText -Force))) \
|
||||
-Environment '${args.environment}' | out-null;`;
|
||||
if (args.scopeLevel === Constants.Subscription && !args.allowNoSubscriptionsLogin) {
|
||||
command += `Set-AzContext -SubscriptionId '${args.subscriptionId}' -TenantId '${tenantId}' | out-null;`;
|
||||
}
|
||||
}
|
||||
|
||||
this.script += `try {
|
||||
$ErrorActionPreference = "Stop"
|
||||
$WarningPreference = "SilentlyContinue"
|
||||
@@ -41,7 +30,6 @@ export default class ScriptBuilder {
|
||||
$output['${Constants.Error}'] = $_.exception.Message
|
||||
}
|
||||
return ConvertTo-Json $output`;
|
||||
|
||||
core.debug(`Azure PowerShell Login Script: ${this.script}`);
|
||||
return this.script;
|
||||
}
|
||||
@@ -63,5 +51,4 @@ export default class ScriptBuilder {
|
||||
core.debug(`GetLatestModuleScript: ${this.script}`);
|
||||
return this.script;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
144
src/main.ts
144
src/main.ts
@@ -20,10 +20,10 @@ async function main() {
|
||||
core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azurePSHostEnv);
|
||||
|
||||
azPath = await io.which("az", true);
|
||||
core.debug(`az cli version used: ${azPath}`);
|
||||
|
||||
let azureSupportedCloudName = new Set([
|
||||
"azureusgovernment",
|
||||
"azurechinacloud",
|
||||
"azureusgovernment",
|
||||
"azurechinacloud",
|
||||
"azuregermancloud",
|
||||
"azurecloud",
|
||||
"azurestack"]);
|
||||
@@ -38,69 +38,30 @@ async function main() {
|
||||
};
|
||||
await executeAzCliCommand("--version", true, execOptions);
|
||||
core.debug(`az cli version used:\n${output}`);
|
||||
|
||||
let creds = core.getInput('creds', { required: false });
|
||||
let secrets = creds ? new SecretParser(creds, FormatType.JSON) : null;
|
||||
|
||||
let creds = core.getInput('creds', { required: true });
|
||||
let secrets = new SecretParser(creds, FormatType.JSON);
|
||||
let servicePrincipalId = secrets.getSecret("$.clientId", false);
|
||||
let servicePrincipalKey = secrets.getSecret("$.clientSecret", true);
|
||||
let tenantId = secrets.getSecret("$.tenantId", false);
|
||||
let subscriptionId = secrets.getSecret("$.subscriptionId", false);
|
||||
let resourceManagerEndpointUrl = secrets.getSecret("$.resourceManagerEndpointUrl", false);
|
||||
let environment = core.getInput("environment").toLowerCase();
|
||||
const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true";
|
||||
const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";
|
||||
|
||||
//Check for the credentials in individual parameters in the workflow.
|
||||
var servicePrincipalId = core.getInput('client-id', { required: false });;
|
||||
var servicePrincipalKey = null;
|
||||
var tenantId = core.getInput('tenant-id', { required: false });
|
||||
var subscriptionId = core.getInput('subscription-id', { required: false });
|
||||
var resourceManagerEndpointUrl = "https://management.azure.com/";
|
||||
var enableOIDC = true;
|
||||
var federatedToken = null;
|
||||
if (!servicePrincipalId || !servicePrincipalKey || !tenantId) {
|
||||
throw new Error("Not all values are present in the creds object. Ensure clientId, clientSecret and tenantId are supplied.");
|
||||
}
|
||||
|
||||
// If any of the individual credentials (clent_id, tenat_id, subscription_id) is present.
|
||||
if (servicePrincipalId || tenantId || subscriptionId) {
|
||||
|
||||
//If few of the individual credentials (clent_id, tenat_id, subscription_id) are missing in action inputs.
|
||||
if (!(servicePrincipalId && tenantId && (subscriptionId || allowNoSubscriptionsLogin)))
|
||||
throw new Error("Few credentials are missing. ClientId,tenantId are mandatory. SubscriptionId is also mandatory if allow-no-subscriptions is not set.");
|
||||
}
|
||||
else {
|
||||
if (creds) {
|
||||
core.debug('using creds JSON...');
|
||||
enableOIDC = false;
|
||||
servicePrincipalId = secrets.getSecret("$.clientId", true);
|
||||
servicePrincipalKey = secrets.getSecret("$.clientSecret", true);
|
||||
tenantId = secrets.getSecret("$.tenantId", true);
|
||||
subscriptionId = secrets.getSecret("$.subscriptionId", true);
|
||||
resourceManagerEndpointUrl = secrets.getSecret("$.resourceManagerEndpointUrl", false);
|
||||
}
|
||||
else {
|
||||
throw new Error("Credentials are not passed for Login action.");
|
||||
}
|
||||
}
|
||||
//generic checks
|
||||
//servicePrincipalKey is only required in non-oidc scenario.
|
||||
if (!servicePrincipalId || !tenantId || !(servicePrincipalKey || enableOIDC)) {
|
||||
throw new Error("Not all values are present in the credentials. Ensure clientId, clientSecret and tenantId are supplied.");
|
||||
}
|
||||
if (!subscriptionId && !allowNoSubscriptionsLogin) {
|
||||
throw new Error("Not all values are present in the credentials. Ensure subscriptionId is supplied.");
|
||||
throw new Error("Not all values are present in the creds object. Ensure subscriptionId is supplied.");
|
||||
}
|
||||
if (!azureSupportedCloudName.has(environment)) {
|
||||
|
||||
if (!azureSupportedCloudName.has(environment)){
|
||||
throw new Error("Unsupported value for environment is passed.The list of supported values for environment are ‘azureusgovernment', ‘azurechinacloud’, ‘azuregermancloud’, ‘azurecloud’ or ’azurestack’");
|
||||
}
|
||||
|
||||
// OIDC specific checks
|
||||
if (enableOIDC) {
|
||||
console.log('Using OIDC authentication...')
|
||||
//generating ID-token
|
||||
federatedToken = await core.getIDToken('api://AzureADTokenExchange');
|
||||
if (!!federatedToken) {
|
||||
if (environment != "azurecloud")
|
||||
throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
|
||||
}
|
||||
else {
|
||||
throw new Error("Could not get ID token for authentication.");
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// Attempting Az cli login
|
||||
if (environment == "azurestack") {
|
||||
if (!resourceManagerEndpointUrl) {
|
||||
@@ -120,71 +81,71 @@ async function main() {
|
||||
try {
|
||||
let baseUri = resourceManagerEndpointUrl;
|
||||
if (baseUri.endsWith('/')) {
|
||||
baseUri = baseUri.substring(0, baseUri.length - 1); // need to remove trailing / from resourceManagerEndpointUrl to correctly derive suffixes below
|
||||
baseUri = baseUri.substring(0, baseUri.length-1); // need to remove trailing / from resourceManagerEndpointUrl to correctly derive suffixes below
|
||||
}
|
||||
let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with .
|
||||
let suffixStorage = baseUri.substring(baseUri.indexOf('.') + 1); // storage suffix starts without .
|
||||
let suffixStorage = baseUri.substring(baseUri.indexOf('.')+1); // storage suffix starts without .
|
||||
let profileVersion = "2019-03-01-hybrid";
|
||||
await executeAzCliCommand(`cloud register -n "${environment}" --endpoint-resource-manager "${resourceManagerEndpointUrl}" --suffix-keyvault-dns "${suffixKeyvault}" --suffix-storage-endpoint "${suffixStorage}" --profile "${profileVersion}"`, false);
|
||||
}
|
||||
}
|
||||
catch (error) {
|
||||
core.error(`Error while trying to register cloud "${environment}": "${error}"`);
|
||||
}
|
||||
|
||||
console.log(`Done registering cloud: "${environment}"`)
|
||||
}
|
||||
|
||||
|
||||
await executeAzCliCommand(`cloud set -n "${environment}"`, false);
|
||||
console.log(`Done setting cloud: "${environment}"`);
|
||||
|
||||
// Attempting Az cli login
|
||||
var commonArgs = ["--service-principal",
|
||||
"-u", servicePrincipalId,
|
||||
"--tenant", tenantId
|
||||
];
|
||||
if (allowNoSubscriptionsLogin) {
|
||||
commonArgs = commonArgs.concat("--allow-no-subscriptions");
|
||||
}
|
||||
if (enableOIDC) {
|
||||
commonArgs = commonArgs.concat("--federated-token", federatedToken);
|
||||
let args = [
|
||||
"--allow-no-subscriptions",
|
||||
"--service-principal",
|
||||
"-u", servicePrincipalId,
|
||||
"-p", servicePrincipalKey,
|
||||
"--tenant", tenantId
|
||||
];
|
||||
await executeAzCliCommand(`login`, true, {}, args);
|
||||
}
|
||||
else {
|
||||
commonArgs = commonArgs.concat("-p", servicePrincipalKey);
|
||||
}
|
||||
await executeAzCliCommand(`login`, true, {}, commonArgs);
|
||||
|
||||
if (!allowNoSubscriptionsLogin) {
|
||||
var args = [
|
||||
let args = [
|
||||
"--service-principal",
|
||||
"-u", servicePrincipalId,
|
||||
"-p", servicePrincipalKey,
|
||||
"--tenant", tenantId
|
||||
];
|
||||
await executeAzCliCommand(`login`, true, {}, args);
|
||||
args = [
|
||||
"--subscription",
|
||||
subscriptionId
|
||||
];
|
||||
await executeAzCliCommand(`account set`, true, {}, args);
|
||||
}
|
||||
|
||||
isAzCLISuccess = true;
|
||||
if (enableAzPSSession) {
|
||||
// Attempting Az PS login
|
||||
console.log(`Running Azure PS Login`);
|
||||
var spnlogin: ServicePrincipalLogin;
|
||||
|
||||
spnlogin = new ServicePrincipalLogin(
|
||||
servicePrincipalId,
|
||||
servicePrincipalKey,
|
||||
federatedToken,
|
||||
tenantId,
|
||||
subscriptionId,
|
||||
const spnlogin: ServicePrincipalLogin = new ServicePrincipalLogin(
|
||||
servicePrincipalId,
|
||||
servicePrincipalKey,
|
||||
tenantId,
|
||||
subscriptionId,
|
||||
allowNoSubscriptionsLogin,
|
||||
environment,
|
||||
environment,
|
||||
resourceManagerEndpointUrl);
|
||||
await spnlogin.initialize();
|
||||
await spnlogin.login();
|
||||
}
|
||||
|
||||
console.log("Login successful.");
|
||||
console.log("Login successful.");
|
||||
}
|
||||
catch (error) {
|
||||
if (!isAzCLISuccess) {
|
||||
core.error("Az CLI Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
|
||||
}
|
||||
}
|
||||
else {
|
||||
core.error(`Azure PowerShell Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
|
||||
}
|
||||
@@ -198,13 +159,14 @@ async function main() {
|
||||
}
|
||||
|
||||
async function executeAzCliCommand(
|
||||
command: string,
|
||||
silent?: boolean,
|
||||
execOptions: any = {},
|
||||
command: string,
|
||||
silent?: boolean,
|
||||
execOptions: any = {},
|
||||
args: any = []) {
|
||||
|
||||
execOptions.silent = !!silent;
|
||||
try {
|
||||
await exec.exec(`"${azPath}" ${command}`, args, execOptions);
|
||||
await exec.exec(`"${azPath}" ${command}`, args, execOptions);
|
||||
}
|
||||
catch (error) {
|
||||
throw new Error(error);
|
||||
|
||||
Reference in New Issue
Block a user