Skip to content

Commit

Permalink
Update README.md for azure/login@v2 (#423)
Browse files Browse the repository at this point in the history
* update readme

* fix lint error

* remove 'en' from link
  • Loading branch information
MoChilia authored Mar 4, 2024
1 parent c847559 commit 81e1d9f
Showing 1 changed file with 13 additions and 33 deletions.
46 changes: 13 additions & 33 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
- [Login to Azure US Government cloud](#login-to-azure-us-government-cloud)
- [Login to Azure Stack Hub](#login-to-azure-stack-hub)
- [Login without subscription](#login-without-subscription)
- [Az logout and security hardening](#az-logout-and-security-hardening)
- [Security hardening](#security-hardening)
- [Azure CLI dependency](#azure-cli-dependency)
- [Reference](#reference)
- [GitHub Action](#github-action)
Expand Down Expand Up @@ -190,7 +190,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Azure login
uses: azure/login@v1
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
Expand Down Expand Up @@ -220,7 +220,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Azure login
uses: azure/login@v1
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
Expand Down Expand Up @@ -282,7 +282,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: azure/login@v1
- uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
Expand Down Expand Up @@ -310,7 +310,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: azure/login@v1
- uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
enable-AzPSSession: true
Expand All @@ -333,7 +333,7 @@ jobs:
If you want to pass subscription ID, tenant ID, client ID, and client secret as individual parameters instead of bundling them in a single JSON object to address the [security concerns](https://docs.github.com/actions/security-guides/encrypted-secrets), below snippet can help with the same.

```yaml
- uses: Azure/login@v1
- uses: azure/login@v2
with:
creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
```
Expand Down Expand Up @@ -377,7 +377,7 @@ jobs:
runs-on: self-hosted
steps:
- name: Azure login
uses: azure/login@v1
uses: azure/login@v2
with:
auth-type: IDENTITY
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
Expand Down Expand Up @@ -443,7 +443,7 @@ jobs:
runs-on: self-hosted
steps:
- name: Azure login
uses: azure/login@v1
uses: azure/login@v2
with:
auth-type: IDENTITY
client-id: ${{ secrets.AZURE_CLIENT_ID }}
Expand Down Expand Up @@ -483,7 +483,7 @@ jobs:
runs-on: ubuntu-latest
steps:

- uses: azure/login@v1
- uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
environment: 'AzureUSGovernment'
Expand All @@ -506,7 +506,7 @@ jobs:
runs-on: ubuntu-latest
steps:

- uses: azure/login@v1
- uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
environment: 'AzureStack'
Expand Down Expand Up @@ -534,7 +534,7 @@ jobs:
steps:

- name: Azure Login
uses: azure/login@v1
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
Expand All @@ -556,30 +556,10 @@ jobs:
Get-AzContext
```
## Az logout and security hardening
This action doesn't implement ```az logout``` by default at the end of execution. However, there is no way to tamper with the credentials or account information because the GitHub-hosted runner is on a VM that will get re-imaged for every customer run, which deletes everything. But if the runner is self-hosted (not provided by GitHub), it is recommended to manually log out at the end of the workflow, as shown below. More details on security of the runners can be found [here](https://docs.github.com/actions/learn-github-actions/security-hardening-for-github-actions#hardening-for-self-hosted-runners).
## Security hardening
> [!WARNING]
> When using self hosted runners it is possible to have multiple runners on a single VM. Currently if your runners share a single user on the VM each runner will share the same credentials. That means in detail that each runner is able to change the permissions of another run. As a workaround we propose to use one single VM user per runner. If you start the runner as a service, do not forget to add the [optional user argument](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service#installing-the-service)

```yaml
- name: Azure CLI script
uses: azure/CLI@v1
with:
inlineScript: |
az logout
az cache purge
az account clear
- name: Azure PowerShell script
uses: azure/powershell@v1
with:
azPSVersion: "latest"
inlineScript: |
Clear-AzContext -Scope Process
Clear-AzContext -Scope CurrentUser
```
> When using self hosted runners it is possible to have multiple runners on a single VM. Currently if your runners share a single user on the VM each runner will share the same credentials. That means in detail that each runner is able to change the permissions of another run. As a workaround we propose to use one single VM user per runner. If you start the runner as a service, do not forget to add the [optional user argument](https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service#installing-the-service)
## Azure CLI dependency
Expand Down

0 comments on commit 81e1d9f

Please sign in to comment.