mirror of
https://github.com/azure/login.git
synced 2026-03-15 09:20:56 -04:00
Compare commits
4 Commits
releases/v
...
sy/improve
| Author | SHA1 | Date | |
|---|---|---|---|
|
45e1441e56 | ||
|
|
f6557e8b4e | ||
|
|
2e05c531c4 | ||
|
|
2d52a1a40d |
74
.github/workflows/azure-login-positive.yml
vendored
74
.github/workflows/azure-login-positive.yml
vendored
@@ -239,77 +239,3 @@ jobs:
|
||||
throw "Not all checks passed!"
|
||||
}
|
||||
|
||||
InDockerTest:
|
||||
runs-on: ubuntu-latest
|
||||
container: ubuntu:24.04
|
||||
environment: Automation test
|
||||
steps:
|
||||
- name: 'Checking out repo code'
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Set Node.js 20.x for GitHub Action
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 20.x
|
||||
|
||||
- name: Install Azure CLI
|
||||
run: |
|
||||
apt-get update
|
||||
apt-get install -y curl
|
||||
curl -sL https://aka.ms/InstallAzureCLIDeb | bash
|
||||
|
||||
- name: Check Azure CLI Version
|
||||
run: |
|
||||
az --version
|
||||
|
||||
- name: Install Powershell
|
||||
run: |
|
||||
apt-get update
|
||||
apt-get install -y wget
|
||||
wget https://mirror.it.ubc.ca/ubuntu/pool/main/i/icu/libicu72_72.1-3ubuntu3_amd64.deb
|
||||
dpkg -i libicu72_72.1-3ubuntu3_amd64.deb
|
||||
wget https://github.com/PowerShell/PowerShell/releases/download/v7.4.3/powershell_7.4.3-1.deb_amd64.deb
|
||||
dpkg -i powershell_7.4.3-1.deb_amd64.deb
|
||||
|
||||
- name: Check Powershell Version
|
||||
shell: pwsh
|
||||
run: |
|
||||
$PSVersionTable
|
||||
|
||||
- name: Install Azure Powershell
|
||||
shell: pwsh
|
||||
run: |
|
||||
Install-Module -Name Az -Repository PSGallery -Force
|
||||
|
||||
- name: Check Azure Powershell Version
|
||||
shell: pwsh
|
||||
run: |
|
||||
Get-Module -ListAvailable Az
|
||||
|
||||
- name: 'Validate build'
|
||||
run: |
|
||||
npm install
|
||||
npm run build
|
||||
|
||||
- name: 'Run L0 tests'
|
||||
run: |
|
||||
npm run test
|
||||
|
||||
- name: Login with individual parameters
|
||||
uses: ./
|
||||
with:
|
||||
client-id: ${{ secrets.SP1_CLIENT_ID }}
|
||||
tenant-id: ${{ secrets.SP1_TENANT_ID }}
|
||||
subscription-id: ${{ secrets.SP1_SUBSCRIPTION_ID }}
|
||||
enable-AzPSSession: true
|
||||
|
||||
- name: Run Azure Cli again
|
||||
run: |
|
||||
az group list --output none
|
||||
|
||||
- name: Run Azure PowerShell again
|
||||
uses: azure/powershell@v2
|
||||
with:
|
||||
azPSVersion: "latest"
|
||||
inlineScript: |
|
||||
$checkResult = Get-AzResourceGroup
|
||||
|
||||
113
README.md
113
README.md
@@ -19,7 +19,6 @@
|
||||
- [Login to Azure US Government cloud](#login-to-azure-us-government-cloud)
|
||||
- [Login to Azure Stack Hub](#login-to-azure-stack-hub)
|
||||
- [Login without subscription](#login-without-subscription)
|
||||
- [Enable/Disable the cleanup steps](#enabledisable-the-cleanup-steps)
|
||||
- [Security hardening](#security-hardening)
|
||||
- [Azure CLI dependency](#azure-cli-dependency)
|
||||
- [Reference](#reference)
|
||||
@@ -156,7 +155,7 @@ Refer to [Login With System-assigned Managed Identity](#login-with-system-assign
|
||||
> - Ensure the CLI version is 2.30 or above to support login with OIDC.
|
||||
> - By default, Azure access tokens issued during OIDC based login could have limited validity. Azure access token issued by Service Principal is expected to have an expiration of 1 hour by default. And with Managed Identities, it would be 24 hours. This expiration time is further configurable in Azure. Refer to [access-token lifetime](https://learn.microsoft.com/azure/active-directory/develop/access-tokens#access-token-lifetime) for more details.
|
||||
|
||||
Before you use Azure Login Action with OIDC, you need to configure a federated identity credential on a service principal or a managed identity.
|
||||
Before you use Azure Login Action with OIDC, you need to configure a federated identity credential on an service principal or a managed identity.
|
||||
|
||||
- Prepare a service principal for Login with OIDC
|
||||
- [Create a service principal and assign a role to it](https://learn.microsoft.com/entra/identity-platform/howto-create-service-principal-portal)
|
||||
@@ -556,116 +555,6 @@ jobs:
|
||||
Get-AzContext
|
||||
```
|
||||
|
||||
### Enable/Disable the cleanup steps
|
||||
|
||||
In Azure Login Action, "cleanup" means cleaning up the login context. For security reasons, we recommend users run cleanup every time. But in some scenarios, users need flexible control over cleanup.
|
||||
|
||||
Referring to [`runs` for JavaScript actions](https://docs.github.com/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#runs-for-javascript-actions), there are 3 steps in an action: `pre:`, `main:` and `post:`. Azure Login Action only implement 2 steps: `main:` and `post:`.
|
||||
|
||||
There are 2 "cleanup" steps in Azure Login Action:
|
||||
|
||||
- cleanup in `main:`
|
||||
- It's **disabled** by default.
|
||||
- Users can enable it by setting an env variable `AZURE_LOGIN_PRE_CLEANUP` to `true`.
|
||||
- cleanup in `post:`
|
||||
- It's **enabled** by default.
|
||||
- Users can disable it by setting an env variable `AZURE_LOGIN_POST_CLEANUP` to `false`.
|
||||
|
||||
Azure Login Action use env variables to enable or disable cleanup steps. In GitHub Actions, there are three valid scopes for env variables.
|
||||
|
||||
- [env](https://docs.github.com/actions/writing-workflows/workflow-syntax-for-github-actions#env)
|
||||
- valid for all jobs in this workflow.
|
||||
- [jobs.<job_id>.env](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idenv)
|
||||
- valid for all the steps in the job.
|
||||
- [jobs.<job_id>.steps[*].env](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsenv)
|
||||
- only valid for the step in a job.
|
||||
|
||||
We set `jobs.<job_id>.steps[*].env` for example. Users can set `env` or `jobs.<job_id>.env` for a wider scope.
|
||||
|
||||
```yaml
|
||||
# File: .github/workflows/workflow.yml
|
||||
|
||||
on: [push]
|
||||
|
||||
name: Cleanup examples for Multiple Azure Login
|
||||
|
||||
jobs:
|
||||
|
||||
deploy:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
# enable cleanup for the 1st Azure Login
|
||||
- name: Azure Login
|
||||
uses: azure/login@v2
|
||||
env:
|
||||
AZURE_LOGIN_PRE_CLEANUP: true
|
||||
AZURE_LOGIN_POST_CLEANUP: true
|
||||
with:
|
||||
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
||||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
||||
enable-AzPSSession: true
|
||||
|
||||
# run some actions
|
||||
|
||||
# disable cleanup for all other Azure Login
|
||||
- name: Azure Login 2
|
||||
uses: azure/login@v2
|
||||
env:
|
||||
AZURE_LOGIN_PRE_CLEANUP: false
|
||||
AZURE_LOGIN_POST_CLEANUP: false
|
||||
with:
|
||||
client-id: ${{ secrets.AZURE_CLIENT_ID_2 }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID_2 }}
|
||||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_2 }}
|
||||
enable-AzPSSession: true
|
||||
|
||||
# run other actions
|
||||
|
||||
# disable cleanup for all other Azure Login
|
||||
- name: Azure Login 3
|
||||
uses: azure/login@v2
|
||||
env:
|
||||
AZURE_LOGIN_PRE_CLEANUP: false
|
||||
AZURE_LOGIN_POST_CLEANUP: false
|
||||
with:
|
||||
client-id: ${{ secrets.AZURE_CLIENT_ID_3 }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID_3 }}
|
||||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_3 }}
|
||||
enable-AzPSSession: true
|
||||
|
||||
# run other actions
|
||||
```
|
||||
|
||||
```yaml
|
||||
# File: .github/workflows/workflow.yml
|
||||
|
||||
on: [push]
|
||||
|
||||
name: Disable cleanup for GitHub Hosted Runners
|
||||
|
||||
jobs:
|
||||
|
||||
deploy:
|
||||
runs-on: [ubuntu-latest, self-hosted]
|
||||
steps:
|
||||
|
||||
- name: Azure Login
|
||||
uses: azure/login@v2
|
||||
env:
|
||||
AZURE_LOGIN_PRE_CLEANUP: ${{ startsWith(runner.name, 'GitHub Actions') }}
|
||||
AZURE_LOGIN_POST_CLEANUP: ${{ startsWith(runner.name, 'GitHub Actions') }}
|
||||
with:
|
||||
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
||||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
||||
enable-AzPSSession: true
|
||||
|
||||
# run some actions
|
||||
|
||||
```
|
||||
|
||||
## Security hardening
|
||||
|
||||
> [!WARNING]
|
||||
|
||||
@@ -39,6 +39,8 @@ branding:
|
||||
color: 'blue'
|
||||
runs:
|
||||
using: 'node20'
|
||||
pre: 'lib/cleanup/index.js'
|
||||
pre-if: (! env.AZURE_LOGIN_PRE_CLEANUP_OFF)
|
||||
main: 'lib/main/index.js'
|
||||
post-if: (!env.AZURE_LOGIN_POST_CLEANUP || env.AZURE_LOGIN_POST_CLEANUP != 'false')
|
||||
post: 'lib/cleanup/index.js'
|
||||
post-if: (! env.AZURE_LOGIN_POST_CLEANUP_OFF)
|
||||
|
||||
4632
lib/cleanup/index.js
4632
lib/cleanup/index.js
File diff suppressed because it is too large
Load Diff
4918
lib/main/index.js
4918
lib/main/index.js
File diff suppressed because it is too large
Load Diff
4
package-lock.json
generated
4
package-lock.json
generated
@@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "login",
|
||||
"version": "2.2.0",
|
||||
"version": "2.0.0",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "login",
|
||||
"version": "2.2.0",
|
||||
"version": "2.0.0",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/core": "1.9.1",
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "login",
|
||||
"version": "2.2.0",
|
||||
"version": "2.0.0",
|
||||
"description": "Login Azure wraps the az login, allowing for Azure actions to log into Azure",
|
||||
"main": "lib/main/index.js",
|
||||
"scripts": {
|
||||
|
||||
@@ -7,8 +7,8 @@ import { AzPSConstants, AzPSUtils } from '../PowerShell/AzPSUtils';
|
||||
export function setUserAgent(): void {
|
||||
let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex');
|
||||
let actionName = 'AzureLogin';
|
||||
process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`;
|
||||
process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`;
|
||||
process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
|
||||
process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
|
||||
}
|
||||
|
||||
export async function cleanupAzCLIAccounts(): Promise<void> {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import * as core from '@actions/core';
|
||||
import { cleanupAzCLIAccounts, cleanupAzPSAccounts, setUserAgent } from './common/Utils';
|
||||
import { setUserAgent } from './common/Utils';
|
||||
import { AzPSLogin } from './PowerShell/AzPSLogin';
|
||||
import { LoginConfig } from './common/LoginConfig';
|
||||
import { AzureCliLogin } from './Cli/AzureCliLogin';
|
||||
@@ -7,13 +7,6 @@ import { AzureCliLogin } from './Cli/AzureCliLogin';
|
||||
async function main() {
|
||||
try {
|
||||
setUserAgent();
|
||||
const preCleanup: string = process.env.AZURE_LOGIN_PRE_CLEANUP;
|
||||
if ('true' == preCleanup) {
|
||||
await cleanupAzCLIAccounts();
|
||||
if (core.getInput('enable-AzPSSession').toLowerCase() === "true") {
|
||||
await cleanupAzPSAccounts();
|
||||
}
|
||||
}
|
||||
|
||||
// prepare the login configuration
|
||||
var loginConfig = new LoginConfig();
|
||||
|
||||
Reference in New Issue
Block a user