Azure / get-keyvault-secrets

Automate your GitHub workflows using Azure Action for Key Vault
MIT License
38 stars 44 forks source link

Support Managed Service Identity KeyVault access for Self-Hosted Runners #11

Open actions-devops opened 4 years ago

actions-devops commented 4 years ago

It would be helpful for this action to support Managed Service Identity (MSI) access to KeyVault for Self-Hosted runners running this GitHub action. This could reduce the need to store cloud secrets in GitHub secrets in order to access Azure KeyVault resources.

If I figure out how to do this I will submit a PR with this change.

Thanks, Aaron

N-Usha commented 4 years ago

Thanks Aaron. Please feel free to contribute.

heaths commented 4 years ago

Take a look at https://www.npmjs.com/package/@azure/keyvault-secrets. Our new libraries support easier authentication including MSI. This would also reduce maintenance costs with the helper classes you've defined. See https://www.npmjs.com/package/@azure/keyvault-secrets#getting-a-secret for a simple example.

heaths commented 4 years ago

I'm going to start work on this and add tests since our libraries also make it easy to mock the clients.

aaronba commented 4 years ago

I'm going to start work on this and add tests since our libraries also make it easy to mock the clients.

I did some more research on this, and isn’t it possible to just have this work if we login with az login —identity from the Azure Login task. Hopefully the creds would flow through?

It would be great to have tests too.

heaths commented 4 years ago

That feature work is planned.

heaths commented 4 years ago

It's also work pointing out that a separate login step really isn't necessary since the clients will authenticate automatically as needed. A custom TokenCredential too read the same format could be added to a ChainedTokenCredential along with DefaultAzureCredential to be back-compat. This is what I was planning in the interim. That TokenCredential could also go in the shared lib.

heaths commented 4 years ago

@actions-devops how are you running the agent as an MSI? I would like to set up a repro/test environment but haven't been able to figure out how to do this. Or it just to run "az login" using MSI?

kanika1894 commented 3 years ago

@actions-devops/ @aaronba any inputs here?

github-actions[bot] commented 3 years ago

This issue is idle because it has been open for 14 days with no activity.