From 8bc68012776292aad60da3180e404c0bfac668b8 Mon Sep 17 00:00:00 2001
From: Lessley Dennington <ledennin@microsoft.com>
Date: Fri, 26 Aug 2022 16:07:22 -0700
Subject: [PATCH] release: access Azure Storage Account with login credentials

Use --auth-mode login command to access ESRP Azure Storage Account instead
of AZURE_STORAGE_KEY. This allows us to reuse the git-fundamentals-esrp
service principal login credentials we're already using for other
resources and is a more secure mode of access than using the storage key.
---
 .github/set_up_esrp.ps1       | 2 +-
 .github/workflows/release.yml | 4 ----
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/set_up_esrp.ps1 b/.github/set_up_esrp.ps1
index e62e87620..ca56266e3 100644
--- a/.github/set_up_esrp.ps1
+++ b/.github/set_up_esrp.ps1
@@ -1,5 +1,5 @@
 # Install ESRP client
-az storage blob download --file esrp.zip --account-key "$env:AZURE_STORAGE_KEY" --account-name esrpsigningstorage --container signing-resources --name microsoft.esrpclient.1.2.76.nupkg
+az storage blob download --file esrp.zip --auth-mode login --account-name esrpsigningstorage --container signing-resources --name microsoft.esrpclient.1.2.76.nupkg
 Expand-Archive -Path esrp.zip -DestinationPath .\esrp
 
 # Install certificates
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ced522ee4..5c340dcf6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -101,7 +101,6 @@ jobs:
     - name: Set up ESRP client
       shell: pwsh
       env:
-        AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
         AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
         AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
         REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
@@ -211,7 +210,6 @@ jobs:
     - name: Set up ESRP client
       shell: pwsh
       env:
-        AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
         AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
         AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
         REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
@@ -296,7 +294,6 @@ jobs:
     - name: Set up ESRP client
       shell: pwsh
       env:
-        AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
         AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
         AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
         REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
@@ -414,7 +411,6 @@ jobs:
     - name: Set up ESRP client
       shell: pwsh
       env:
-        AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
         AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
         AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
         REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}