Skip to content

Azure OIDC accounts #2004

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
benPearce1 merged 10 commits into from
Nov 1, 2023
Merged

Azure OIDC accounts #2004

benPearce1 merged 10 commits into from
Nov 1, 2023

Conversation

@benPearce1
Copy link
Contributor

@benPearce1 benPearce1 commented Sep 22, 2023
edited
Loading

[sc-58116]

PR adds descriptions of main Azure OIDC functionality and refactors the supplied scripts to pull the common bits (create service principal) and specific bits (create password for service principal, create federated creds for service principal)
Adds overview of configuration for OIDC
Adds brief overview of signing keys

@shortcut-integration
Copy link

shortcut-integration bot commented Sep 22, 2023

This pull request has been linked to Shortcut Story #58116: Docs.

@benPearce1 benPearce1 changed the title initial unfinished work Azure OIDC accounts Nov 1, 2023
@benPearce1 benPearce1 marked this pull request as ready for review November 1, 2023 02:07
IsaacCalligeros95
IsaacCalligeros95 reviewed Nov 1, 2023
View reviewed changes
src/pages/docs/infrastructure/accounts/azure/index.md
# This script will create a new service principal for you to use in Octopus Deploy using the Az PowerShell modules. This will work with both PowerShell and PowerShell Core.
# this script will create a new Azure AD App Registration
$AzureTenantId = "2a681dca-3230-4e01-abcb-b1fd225c0982" # Replace with your Tenant Id
Copy link
Contributor

@IsaacCalligeros95 IsaacCalligeros95 Nov 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Is there a reason this has the tenant specified? This is a pre-existing part of the docs so I'm happy for it to be left as is, the inconsistency is just a bit odd.

Copy link
Contributor Author

@benPearce1 benPearce1 Nov 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the Azure Active Directory tenant , not an Octopus one

Copy link
Contributor

@IsaacCalligeros95 IsaacCalligeros95 Nov 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤦‍♂️

IsaacCalligeros95
IsaacCalligeros95 reviewed Nov 1, 2023
View reviewed changes
IsaacCalligeros95
IsaacCalligeros95 reviewed Nov 1, 2023
View reviewed changes
IsaacCalligeros95
IsaacCalligeros95 reviewed Nov 1, 2023
View reviewed changes
Copy link
Contributor

@IsaacCalligeros95 IsaacCalligeros95 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just a couple of questions/suggestions

  • Should we mention the Octopus.OpenIdConnect.Jwt variable that gets set and used for token exchange? This could be useful for customers looking to handle their own token exchanges in scripts.

  • Can we mention supported tool versions somewhere? In particular for terraform the azurerm terraform provider we require a minimum version of 3.22. Azure cli added support for MSAL in 2.30 which is required for the az login ... --federated-token command

IsaacCalligeros95
IsaacCalligeros95 reviewed Nov 1, 2023
View reviewed changes
src/pages/docs/infrastructure/accounts/openid-connect.md Outdated

## Authenticating using OpenID Connect with third party services and tools

If you have a third-party service or tool that supports OpenID Connect, you can add any OIDC account variable into your projects variable set and use the `Octopus.OpenIDConnect.Jwt` variable to get access to the request token that can be used for authenticating.
Copy link
Contributor

@IsaacCalligeros95 IsaacCalligeros95 Nov 1, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I was mistaken before, when using the variables it should be <AccountName>.OpenIDConnect.Jwt

IsaacCalligeros95
IsaacCalligeros95 approved these changes Nov 1, 2023
View reviewed changes
Copy link
Contributor

@IsaacCalligeros95 IsaacCalligeros95 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's just the variable name to update when using project variables, other than that LGTM

hnrkndrssn
hnrkndrssn approved these changes Nov 1, 2023
View reviewed changes
Copy link
Contributor

@hnrkndrssn hnrkndrssn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor nit but looks good otherwise.

@benPearce1 benPearce1 merged commit 991615d into main Nov 1, 2023
@benPearce1 benPearce1 deleted the bp/oidc-client branch November 1, 2023 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hnrkndrssn hnrkndrssn hnrkndrssn approved these changes

@IsaacCalligeros95 IsaacCalligeros95 IsaacCalligeros95 approved these changes

@veochen-octopus veochen-octopus Awaiting requested review from veochen-octopus

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@benPearce1 @hnrkndrssn @IsaacCalligeros95 @steve-fenton-octopus