[APIView] Remove ApiKey usage #13235
Conversation
|
The following pipelines have been queued for testing: |
|
The following pipelines have been queued for testing: |
|
The following pipelines have been queued for testing: |
|
The following pipelines have been queued for testing: |
AlitzelMendez
changed the title
There was a problem hiding this comment.
Pull request overview
This PR removes API Key-based authentication from APIView in favor of Azure AD Bearer token authentication. The changes migrate from using a static API key to dynamically acquiring Azure AD tokens via the Azure CLI.
Key Changes:
- Replaced API Key authentication with Azure AD Bearer token authentication using
az account get-access-token - Updated API endpoints to use new lowercase paths (
/autoreview/uploadand/autoreview/create) - Changed HTTP method from GET to POST for the create endpoint to follow RESTful conventions
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| eng/common/scripts/Create-APIReview.ps1 | Removed $APIKey parameter, added Get-ApiViewBearerToken() function for Azure AD authentication, updated API endpoints and authentication headers in both upload functions |
| eng/common/pipelines/templates/steps/create-apireview.yml | Changed from Powershell@2 to AzureCLI@2 task to enable Azure authentication context, added AzureServiceConnection parameter, removed API key argument |
|
The following pipelines have been queued for testing: |
|
The following pipelines have been queued for testing: |
weshaggard
left a comment
weshaggard
left a comment
There was a problem hiding this comment.
Please be sure to follow the eng/common sync workflow to ensure this syncs to all the language repos.
|
/check-enforcer evaluate |
@AlitzelMendez you need to follow the next set of steps https://github.com/Azure/azure-sdk-tools/blob/main/eng/common/README.md#workflow let's not override check-enforcer as it shouldn't be needed. |
Sync eng/common directory with azure-sdk-tools for PR Azure/azure-sdk-tools#13235 See [eng/common workflow](https://github.com/Azure/azure-sdk-tools/blob/main/eng/common/README.md#workflow) --------- Co-authored-by: Alitzel Mendez <almend@microsoft.com>
Sync eng/common directory with azure-sdk-tools for PR Azure/azure-sdk-tools#13235 See [eng/common workflow](https://github.com/Azure/azure-sdk-tools/blob/main/eng/common/README.md#workflow) --------- Co-authored-by: Alitzel Mendez <almend@microsoft.com>
* [DNM][WIP][API View] Remove ApiKey usage * Add -TestAuth flag to verify Bearer token authentication * TEMP: Enable TestAuthOnly for pipeline testing * [APIView] Remove testing logs * Additional clean up * Keep apikey fallback while migrating * [APIView] Keep migration to new endpoint * [APIView] Keep migration to new endpoint * Feedback
…on (#9501) - [x] Review Azure SDK PR #13235 pattern for removing API Key authentication - [x] Update Create-APIReview.ps1 to remove API Key parameter and add Bearer token authentication - Removed `$APIKey` parameter from script - Added `Get-ApiViewBearerToken()` function that acquires Azure AD tokens via `az account get-access-token` - Updated `Upload-SourceArtifact` to use Bearer token instead of API Key - Updated `Upload-ReviewTokenFile` to use Bearer token instead of API Key - Changed API endpoints from `UploadAutoReview` to `upload` and `CreateApiReview` to `create` (lowercase) - Changed HTTP method from GET to POST for the create endpoint - Improved error handling with more detailed error messages - [x] Update create-apireview.yml to use AzureCLI@2 task instead of Powershell@2 task - Changed task from `Powershell@2` to `AzureCLI@2` - Added `AzureServiceConnection` parameter with default value "APIView prod deployment" - Removed `-APIKey $(azuresdk-apiview-apikey)` argument - Removed `pwsh: true` (not needed with AzureCLI@2) - Added `azureSubscription`, `scriptType`, and `scriptLocation` inputs - [x] Address security concern: removed potentially sensitive token response from error logging <!-- START COPILOT ORIGINAL PROMPT --> <details> <summary>Original prompt</summary> > > ---- > > *This section details on the original issue you should resolve* > > <issue_title>Stop using Api Key in Create-ApiReview script</issue_title> > <issue_description>We can follow the same pattern as used in Azure/azure-sdk-tools#13235 > > And apply those changes to https://github.com/microsoft/typespec/blob/main/eng/emitters/scripts/Create-APIReview.ps1 > > Also need to update https://github.com/microsoft/typespec/blob/main/eng/emitters/pipelines/templates/steps/create-apireview.yml</issue_description> > > ## Comments on the Issue (you are @copilot in this section) > > <comments> > </comments> > </details> <!-- START COPILOT CODING AGENT SUFFIX --> - Fixes #9500 <!-- START COPILOT CODING AGENT TIPS --> --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: JoshLove-msft <54595583+JoshLove-msft@users.noreply.github.com>
4 participants
second part of: #12484