Add support for OIDC during prebuild #63
Conversation
Co-authored-by: David Michon <[email protected]>
Co-authored-by: David Michon <[email protected]>
|
I need to do some manual testing soon, but the expectation I have is that the code will create an environment variable with the name provided in Thanks for the fixes. I let Copilot Workspace write some of the code and still need to look at it more closely obviously |
|
@dmichon-msft I did some research and I do not believe the environment variable will still be set when the |
A couple of ideas:
|
|
So the second option sounds pretty doable. I think we can start with that and as a couple of teams use this we can see if there is something to make it easier. |
Aside from just being the correct place to get the token this also allows a user to run this command after clone to get a token on stdout
|
@dmichon-msft I think I have it now. I was adding the token code in the wrong place anyway. So it is now in a command |
|
I was able to test and verify this all works now. Just doing some final testing of a few error scenarios to make sure they can be diagnosed then will merge and publish |
Secret-less Azure DevOps Prebuilds
It is possible to avoid using PATs entirely and dynamically obtain a token during prebuild using
OIDC. This requires creating a Managed Identity or App Registration in Entra, and creating a
Federated Identity Credential on the Service Principal for the branch you are prebuilding. The
Service Principal created must also be added to Azure DevOps and given permission to the repositories
and feeds you will be accessing during the prebuild process. The configuration replaces the
cloneSecretwith parameters for the Azure
clientIDandtenantIDand also requires adding the feature forthe azure-cli:
{ "image": "mcr.microsoft.com/devcontainers/universal:ubuntu", "features": { "ghcr.io/devcontainers/features/azure-cli:1": {}, "ghcr.io/microsoft/codespace-features/external-repository:latest": { "cloneUrl": "https://dev.azure.com/contoso/_git/reposname", "clientID": "xxxx-yyyy-zzzz", "tenantID": "1111-2222-3333", "folder": "/workspaces/ado-repos" } }, "workspaceFolder": "/workspaces/ado-repos", "initializeCommand": "mkdir -p ${localWorkspaceFolder}/../ado-repos", "onCreateCommand": "external-git clone", "postStartCommand": "external-git config" }In this scenario, during the prebuild process an ADO token will be obtained via OIDC and the Federated Identity Credential.
This token will be used during the git clone process only. If you have other scripts you are running during
onCreateCommandyou can run the commandexternal-git prebuildand the ADO token will be sent to stdout for youto use in your scripts to install dependencies from feeds or anything else you may need. The token will only be
available during the prebuild process and this has to be done after the clone command so that the OIDC login has
already happened.
Note
You MUST install the Azure CLI feature in your devcontainer.json if using this option