Support for OIDC to authenticate without long lived credentials

[MartijnKooij]

We would like to harden the security of our Azure DevOps pipelines by removing the need for long lived access tokens.

I could try to come up with how this should work myself, but I think others have done a better job at describing that already. This feature is already available in at least GitHub and GitLab (and according to the zero trust presentation at the AWS Summit in Amsterdam many others).

The docs for this feature here on GitHub: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

The docs for this feature on GitLab: https://docs.gitlab.com/ee/ci/cloud_services/aws/

Currently we are considering building key rotation services to harden our security. This will be quite some effort to build and maintain and still means we are using long lived tokens.

[geekzter]

The links above pertain to GitHub Actions. This blog post explains how to get an idToken for a task. This requires a service connection configuration time change as well.

[MartijnKooij]

I'm not sure if that article is relevant to my question @geekzter. Although I must admit I only skimmed through it.

My request is directed at AWS to add support for oidc inside their azure toolkit so that we can use AWS tasks in our pipeline without relying on long lived credentials.

[para0056]

Bumping for awareness.

This would be an extremely useful feature and would be in-line with AWS best practices to use temporary credentials whenever possible.

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-workloads-use-roles

[jackmtpt]

Not having this makes AWS feel like a downgrade from Azure

[davidcorrigan714]

Starting to poke at implementing this and almost have it working with the CLI task which I'm guessing will mean all the typescript based tasks will fall into line and I can start getting feedback on the implementation from everyone, especially whoever is maintaining this code on the AWS side.

The most annoying part is going to be documenting how to configure AWS with the proper claims for the OIDC token. Microsoft didn't quite finish the OIDC support for third party service connection extensions last year so it works, but it's not as nice as it should be - like not having a nice way to show the user the JWT claims in the service connection configuration panel 🤦‍♂️.

[davidcorrigan714]

Seems to work nicely, handful of things to clean up & I need to do the powershell side then I can put up a PR. Here's what I got so far though:

Service Connection with no credentials:

The task gets an OIDC token to authenticate to AWS which authenticates to OIDC provider & roles I configured in AWS:

[HenrikStanley]

We are looking into this issue as well and need support for OIDC.

I can see that Laurens Knoll from Xebia has managed to make it work using the Azure DevOps OIDC provider for OIDC with GCP.

Described in this blogpost https://xebia.com/blog/how-to-configure-google-cloud-workload-identity-federation-for-azure-devops/

The Azure DevOps plugin is on GH. The same method for getting the idToken from the Azure DevOps provider should be possible. https://github.com/binxio/azure-devops-extensions/tree/master/google/google-cloud-auth/tasks/gcp-wif-auth

@davidcorrigan714 If you need anyone to review a PR, I would be happy to give it a look

[davidcorrigan714]

Yup, that's how it all works. Microsoft's code has been on GH for over a year now iirc as they were developing it for Azure tasks throughout all last year. Hit some snags on Friday making sure the plugin still works on-prem without OIDC, my solution isn't quite as awesome as I'd like but I think it'll suffice. Need to update the README.md file then I'll open a PR. Unfortunately their docs are no longer sourced from GH so hopefully someone from AWS can update the official User Guide too.

[davidcorrigan714]

@HenrikStanley You're welcome to checkout my WIP here. Skimming it I've got some other code tidying up todo, and seems my VSCode formatting settings made some unnecessary formatting changes I'll probably back-out to declutter the PR.

[dilv0055]

@davidcorrigan714 - Thanks for the update. May i know when can we expect this feature roled-out to Azure DevOps marketplace extension to set our roadmap? Appreciate your help here.