Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use managed identity with OpenID Connect for Azure login #2182

Merged
merged 15 commits into from
Nov 12, 2024

Conversation

SimonYansenZhao
Copy link
Collaborator

@SimonYansenZhao SimonYansenZhao commented Oct 27, 2024

Description

This PR resolves

Related Issues

References

Checklist:

  • I have followed the contribution guidelines and code style for this project.
  • I have added tests covering my contributions.
  • I have updated the documentation accordingly.
  • I have signed the commits, e.g. git commit -s -m "your commit message".
  • This PR is being made to staging branch AND NOT TO main branch.

Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
Copy link
Collaborator

@miguelgfierro miguelgfierro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SimonYansenZhao I added the federated credential, let me know if it works

@miguelgfierro
Copy link
Collaborator

@SimonYansenZhao it seems it is working now. I had to go to the Azure portal and add a federated credential with the name of your branch. I tried with the pull request option, and didn't work, and tried to add * as a wildcard branch, but it doesn't work either. It seems there is a way to programmatically create federeated credentials using a request:

POST https://graph.microsoft.com/v1.0/applications/{application-id}/federatedIdentityCredentials
Content-Type: application/json
Authorization: Bearer {access-token}

Replace {application-id} with your Azure AD application's object ID and {access-token} with a valid Microsoft Graph access token with the required permissions.

Request Body Example
json
Copy code
{
"name": "GitHubActionsFederatedCredential",
"issuer": "https://token.actions.githubusercontent.com",
"subject": "repo:recommenders-team/recommenders:ref:refs/heads/NAME_OF_THE_CURRENT_BRANCH",
"description": "Federated credential for GitHub Actions",
"audiences": [
"api://AzureADTokenExchange"
]
}
Explanation of the Request Body Fields
name: A unique name for the federated identity credential within your application.
issuer: Set to https://token.actions.githubusercontent.com for GitHub Actions.
subject: The subject claim format, e.g., repo:owner/repo:ref:refs/heads/branch.
description: (Optional) A description of the credential.
audiences: Specifies who can use this credential; for GitHub Actions, use "api://AzureADTokenExchange".

One unkonwn still is how to enable this solution to execute the nightly builds in staging and main.

@miguelgfierro
Copy link
Collaborator

There is a new error, but not of authentication:

Pytest logs
  /opt/hostedtoolcache/Python/3.10.15/x64/lib/python3.10/site-packages/azureml/mlflow/_protos/aml_service_pb2.py:10: UserWarning: google.protobuf.service module is deprecated. RPC implementations should provide code generator plugins which generate code specific to the RPC implementation. service.py will be removed in Jan 2025
    from google.protobuf import service as _service
  Downloading artifacts:   0%|          | 0/1 [00:00<?, ?it/s]
  Downloading artifacts: 100%|██████████| 1/1 [00:00<00:00,  1.33it/s]
  Downloading artifacts: 100%|██████████| 1/1 [00:00<00:00,  1.33it/s]
  Downloading artifacts: 100%|██████████| 1/1 [00:00<00:00,  1.33it/s]
  Traceback (most recent call last):
    File "/home/runner/work/recommenders/recommenders/tests/ci/azureml_tests/post_pytest.py", line 93, in <module>
      with open(pathlib.Path(args.log_dir) / log_path, "r") as file:
  FileNotFoundError: [Errno 2] No such file or directory: 'test_logs/user_logs/std_log.txt'

@SimonYansenZhao
Copy link
Collaborator Author

There is a new error, but not of authentication:

Pytest logs
  /opt/hostedtoolcache/Python/3.10.15/x64/lib/python3.10/site-packages/azureml/mlflow/_protos/aml_service_pb2.py:10: UserWarning: google.protobuf.service module is deprecated. RPC implementations should provide code generator plugins which generate code specific to the RPC implementation. service.py will be removed in Jan 2025
    from google.protobuf import service as _service
  Downloading artifacts:   0%|          | 0/1 [00:00<?, ?it/s]
  Downloading artifacts: 100%|██████████| 1/1 [00:00<00:00,  1.33it/s]
  Downloading artifacts: 100%|██████████| 1/1 [00:00<00:00,  1.33it/s]
  Downloading artifacts: 100%|██████████| 1/1 [00:00<00:00,  1.33it/s]
  Traceback (most recent call last):
    File "/home/runner/work/recommenders/recommenders/tests/ci/azureml_tests/post_pytest.py", line 93, in <module>
      with open(pathlib.Path(args.log_dir) / log_path, "r") as file:
  FileNotFoundError: [Errno 2] No such file or directory: 'test_logs/user_logs/std_log.txt'

Not sure what's going on. I downloaded the artifact generated by the test, and did find std_log.txt in it. 🤣

@SimonYansenZhao
Copy link
Collaborator Author

@SimonYansenZhao it seems it is working now. I had to go to the Azure portal and add a federated credential with the name of your branch. I tried with the pull request option, and didn't work, and tried to add * as a wildcard branch, but it doesn't work either. It seems there is a way to programmatically create federeated credentials using a request:

POST https://graph.microsoft.com/v1.0/applications/{application-id}/federatedIdentityCredentials
Content-Type: application/json
Authorization: Bearer {access-token}

Replace {application-id} with your Azure AD application's object ID and {access-token} with a valid Microsoft Graph access token with the required permissions.

Request Body Example json Copy code { "name": "GitHubActionsFederatedCredential", "issuer": "https://token.actions.githubusercontent.com", "subject": "repo:recommenders-team/recommenders:ref:refs/heads/NAME_OF_THE_CURRENT_BRANCH", "description": "Federated credential for GitHub Actions", "audiences": [ "api://AzureADTokenExchange" ] } Explanation of the Request Body Fields name: A unique name for the federated identity credential within your application. issuer: Set to https://token.actions.githubusercontent.com for GitHub Actions. subject: The subject claim format, e.g., repo:owner/repo:ref:refs/heads/branch. description: (Optional) A description of the credential. audiences: Specifies who can use this credential; for GitHub Actions, use "api://AzureADTokenExchange".

One unkonwn still is how to enable this solution to execute the nightly builds in staging and main.

Ah, I see. This PR does not trigger the workflow, so manual triggering does not match the subject repo:recommenders-team/recommenders:pull_request.

Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
Signed-off-by: Simon Zhao <simonyansenzhao@gmail.com>
@SimonYansenZhao SimonYansenZhao merged commit 12bc1e4 into staging Nov 12, 2024
38 checks passed
@SimonYansenZhao SimonYansenZhao deleted the simonz/oidc branch November 12, 2024 00:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants