Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use OIDC creds to deploy #364

Merged
merged 4 commits into from
Jun 6, 2023
Merged

Use OIDC creds to deploy #364

merged 4 commits into from
Jun 6, 2023

Conversation

camertron
Copy link
Contributor

@camertron camertron commented May 26, 2023
edited
Loading

This PR performs deploys using federated OIDC credentials in favor of the existing basic auth-based publish profile. Can confirm it works for prod deploys 👍

See also:

  1. Terraform change to create a new service principal (SPN): https://github.com/github/azure-rbac/pull/945
  2. Terraform change to give the new SPN access to our subscription: https://github.com/github/azure-rbac/pull/946

@camertron camertron temporarily deployed to github-pages May 26, 2023 22:16 — with GitHub Actions Inactive
@camertron camertron mentioned this pull request May 26, 2023
Closed
@camertron camertron temporarily deployed to production May 26, 2023 22:46 — with GitHub Actions Inactive
@camertron camertron marked this pull request as ready for review May 26, 2023 22:49
@camertron camertron requested a review from rezrah May 27, 2023 02:59
rezrah
rezrah approved these changes May 29, 2023
View reviewed changes
Copy link
Contributor

@rezrah rezrah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great @camertron, thanks for moving this over ✨. Have you verified this works in staging?

One comment about using secrets for the creds. Even if those values aren't compromising, I think we should mitigate by following the examples in docs verbatim.

@camertron
Copy link
Contributor Author

camertron commented May 30, 2023
edited
Loading

Unfortunately this doesn't work in staging yet because the entity_value is explicitly set to production here. I did however test it in production and it's working well. I will be adding support for staging today.

Edit: staging should be working now
Edit 2: Unfortunately entity_value = "*" doesn't work, so I've had to create a separate SPN for staging deploys: https://github.com/github/azure-rbac/pull/953

@camertron camertron temporarily deployed to github-pages May 30, 2023 17:51 — with GitHub Actions Inactive
@camertron camertron temporarily deployed to github-pages May 31, 2023 20:48 — with GitHub Actions Inactive
@camertron camertron temporarily deployed to staging June 6, 2023 23:19 — with GitHub Actions Inactive
@camertron
Copy link
Contributor Author

Had to submit the change in two PRs: https://github.com/github/azure-rbac/pull/970 https://github.com/github/azure-rbac/pull/971, but now everything appears to be working 🎉

@camertron camertron merged commit 4b81816 into main Jun 6, 2023
5 checks passed
@camertron camertron deleted the oidc_deploys branch June 6, 2023 23:23
@camertron camertron temporarily deployed to production June 6, 2023 23:23 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rezrah rezrah rezrah approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@camertron @rezrah