tfsaggregator / aggregator-cli

A new version of Aggregator aiming at Azure DevOps (ex Visual Studio Team Services)
https://tfsaggregator.github.io/
Apache License 2.0
74 stars 32 forks source link

Login using managed identity #279

Open marnheus opened 1 year ago

marnheus commented 1 year ago

The usage of managed identities to log into Azure DevOps is now available in public preview. What would be great would be to enable system assigned managed identity on the Azure Function app hosting the aggregator and using it to log into Azure DevOps.

That would eliminate the need to manage the PAT and it would make it much more clear in ADO who touched the history using an actual system identity.

Here's the doc : https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops

snydergd commented 11 months ago

Management of the PAT has been a big obstacle for us, since it makes the aggregator fairly unreliable - in particular because PATs become unusable after the owning user's password changes (interactive login to ADO as that user will restore their access -- however, for the generic ID we use for this, whose password changes frequently for security reasons, this creates quite a challenge). Even with the rotation problem aside, having to log in as the generic ID to create a PAT manually on a schedule, or maybe worse, using an individual human account to create the PAT, is kind of cumbersome.

Managed identity or even Service Principal would move this tool from being "eh, you can try it, but don't count on it", to "yes, this is a good way to solve the problem".