Skip to content
This repository has been archived by the owner on Sep 29, 2020. It is now read-only.

Support for service principal authentication #21

Closed
karolz-ms opened this issue Jul 15, 2020 · 5 comments
Closed

Support for service principal authentication #21

karolz-ms opened this issue Jul 15, 2020 · 5 comments
Assignees
@gtardif

Comments

@karolz-ms
Copy link

In order to use Docker CLI integration with ACI in CI/CD scenarios, docker login azure should support authentication using service principal name/password (a.k.a. application ID/secret).

Sample scenario (using Azure CLI): https://docs.microsoft.com/en-us/azure/container-instances/container-instances-github-action

This is how equivalent Azure CLI command looks like:

# Log in with a service principal using client secret. Use -p=secret if the first character of the password is '-'.
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com

I believe the relevant Azure Golang SDK method to get the token is acquireTokenClientSecretFlow: https://github.com/Azure/go-autorest/blob/master/autorest/adal/cmd/adal.go#L120
@chris-crone
Copy link
Contributor

Thanks for raising this @karolz-ms! I've added it to our backlog.

@gtardif
Copy link
Collaborator

gtardif commented Aug 6, 2020

Thanks for the proposal. Actually we looked at Service provider login for our CI as well.
One issue I see at the moment for providing this to users is that login through this method, I get an access token (valid for 1h) but no refresh token. So unlike the classic login, where the token is refreshed automatically, here the user has a token valid for 1h, and then gets an error message saying he needs to login again.
Maybe I missed something when implementing this, we can investigate a bit more to defined what is the best solution to improve this, or if we are happy to provide this in the CLI knowing the token will expire and not automatically refresh in this case. (cc @nebuk89)

@gtardif gtardif self-assigned this Aug 10, 2020
@gtardif gtardif mentioned this issue Aug 10, 2020
Merged
@gtardif
Copy link
Collaborator

gtardif commented Aug 12, 2020

Discussing this a bit further with @nebuk89, we'll include this in the CLI with the limitation that Service Principal login will obtain only an access token and no refresh token, the user will need to manually re-login when the token expires. This should not be an issue for CI use cases.
the CLI will provide: docker login azure --client-id xxx --client-secret yyy --tenant-id zzz

@karolz-ms
Copy link
Author

Makes sense, thanks Guillaume! I found this doc, which suggests that client credentials flow can only produce an access token, and not a refresh token https://docs.microsoft.com/en-us/azure/active-directory/develop/security-tokens#how-each-flow-emits-tokens-and-codes

Like you said, this is sufficient for CI scenario

@gtardif
Copy link
Collaborator

gtardif commented Aug 31, 2020

Available since v0.1.12, using docker login azure --client-id xx --client-secret yy --tenant-id zz

@gtardif gtardif closed this as completed Aug 31, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@gtardif gtardif

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gtardif @chris-crone @karolz-ms