Support Azure CLI login for AzureAD and Azure DevOps #12516
Conversation
|
Hi @bishal-pdMSFT, Can you please review and provide feedback on this small but impactful PR? |
|
Thanks @mbrancato for raising the PR. I will take a look by EOD today. |
|
@mbrancato one problem with this change is that in release editor, the "Azure subscription" drop down only lists the service connections which are scoped to subscription scope. Hence this change won't prove much useful. |
|
Hi @bishal-pdMSFT - That may be only a problem with the "release editor". I don't know what that is and don't use this. When writing pipelines with YAML we may specify any service connection by name, and there seems to be no filtering except by type. So while that may not be seen as a help here, if this change doesn't affect that workflow negatively, it still helps my workflow of using YAML pipelines. I think the problem is I'm probably using the authentication from this task a bit more broadly than it was originally thought to serve. Specifically, I'm using this for infrastructure builds and we don't use "classic" release pipelines. But in many cases, my service principal does not have direct access to Azure, but it does have identity. And that is what we need, and identity we can validate of the pipeline. |
|
Yes, for yaml it should work fine. |
|
@mbrancato I have suggested a couple of more changes which will make it generic so that any ARM service connection scope can be used. |
|
@issacnitin can you please review this PR |
|
@mbrancato please update the patch version specified in task.json |
|
IMO if we remove this filter logic then the change will work even for legacy release editor. What do you think @issacnitin |
Yes, that should do it. We should rename the variables and text to say "Azure Service Connection"/"ARM Service Connection", since we're not tied down to subscriptions scoped SPN any more from the root of the repository once you've your changes made. Commit the generated files as well. We'll do testing from our side and check-in the PR |
|
Thanks @mbrancato this looks good to me. |
* Support Azure CLI login for AzureAD and Azure DevOps * Set subscription only if parameter is set * Increment task version Co-authored-by: Mike Brancato <mbrancato@humana.com> Co-authored-by: Nitin Issac Joy <nijoy@microsoft.com>
* Support Azure CLI login for AzureAD and Azure DevOps * Set subscription only if parameter is set * Increment task version Co-authored-by: Mike Brancato <mbrancato@humana.com> Co-authored-by: Nitin Issac Joy <nijoy@microsoft.com>
#12946) * Support Azure CLI login for AzureAD and Azure DevOps (#12516) * Support Azure CLI login for AzureAD and Azure DevOps * Set subscription only if parameter is set * Increment task version Co-authored-by: Mike Brancato <mbrancato@humana.com> Co-authored-by: Nitin Issac Joy <nijoy@microsoft.com> * Support for Azure Management Group in Azure CLI V2 task (#12922) * Support for management group in Azure CLI * Updating text * Review comments * Updating task version Co-authored-by: Mike Brancato <mbrancato@users.noreply.github.com> Co-authored-by: Mike Brancato <mbrancato@humana.com>
#12947) * Support Azure CLI login for AzureAD and Azure DevOps (#12516) * Support Azure CLI login for AzureAD and Azure DevOps * Set subscription only if parameter is set * Increment task version Co-authored-by: Mike Brancato <mbrancato@humana.com> Co-authored-by: Nitin Issac Joy <nijoy@microsoft.com> * Support for Azure Management Group in Azure CLI V2 task (#12922) * Support for management group in Azure CLI * Updating text * Review comments * Updating task version Co-authored-by: Mike Brancato <mbrancato@users.noreply.github.com> Co-authored-by: Mike Brancato <mbrancato@humana.com>
Allows
az loginauthentication to work even when the identity being used is not authorized to access any Azure resources.Fixes #11846