Will kubernetes service connections in azure devops work with an AKS cluster that is bound to AAD via openidconnect? Logging into such clusters goes through an openidconnect flow that involves a device login + browser. How is this possible w/ azure devops k8s service connections?
Will kubernetes service connections in azure devops work with an AKS
cluster that is bound to AAD via openidconnect?
Unfortunately to say, no, this does not support until now.
According to your description, what you want to connect with in Azure Devops Kubernetes service connection is Azure Kubernetes service. This means you would select Azure Subscription in Choose authentication. BUT, this connection method is using Service Principal Authentication (SPA) to authenticate, which does not yet supported for the AKS that is bound with AAD auth.
If you connect your AKS cluster as part of your CI/CD deployment in Azure Devops, and attempt to get the cluster credentials. You would get a warning response which inform you to log in since the service principal cannot handle it:
WARNING: To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code *** to authenticate.
You should familiar with this message, it needs you open a browser to login in to complete the device code authentication manually. But this could not be achieve in Azure Devops.
There has a such feature request raised on our forum which request us expand this feature to Support non-interactive login for AAD-integrated clusters. You can vote and comment there to advance the priority of this suggestion ticket. Then it could be considered into the develop plan by our Product Manager as soon as possible.
Though it could not be achieved directly. But there has 2 work around can for you refer now.
The first work around is change the Azure DevOps authenticate itself from AAD client to the server client.
Use az aks get-credentials command and specify the parameter --admin with it. This can help with bypassing the Azure AD auth since it can let you connect and retrieve the admin credentials which can work without Azure AD.
But, I do not recommend this method because subjectively, this method is ignoring the authentication rules set in AAD for security. If you want a quick method to achieve what you want and not too worry about the security, you can try with this.
The second one is using Kubernetes service accounts
You can follow this doc to create a service account. Then in Azure Devops, we could use this service account to communicate with AKS API. Here you also need to consider about the authorized IP address ranges in AKS.
After the service account created successfully, choose Service account in the service connection of Azure Devops:
Server URL: Get it from the AKS instance(API server address) in Azure portal, then do not forget append the https:// before it while you input it into this service connection.
Secret: Generate it by using command:
kubectl get secret -n <name of secret> -o yaml -n service-accounts
See this doc: Deploy Vault on Azure Kubernetes Service (AKS).
Then you can use this service connection in Azure Devops tasks.
Related
i am implementing CI/CD pipeline that needs to register an AAD Application with permissions to read/write into Site collections, this would mean that the pipeline itself need to have permission to 'Sites.FullControl.All'. I want to understand from the security perspective, if this is desirable, i.e., a pipeline having FullControl access to a SharePoint tenant. What are the recommended practices w.r.t. this, will the application registration in such scenarios be manually done by Ops team?
According to your description, it seems that you want to use the service connection in the Azure CI/CD pipeline.
We can create a service connection with Service principal (automatic) or Service principal (manual).
Use the following parameters to define and secure a connection to a Microsoft Azure subscription using Service Principal Authentication (SPA) or an Azure managed Service Identity.
Automated subscription detection. In this mode, Azure Pipelines
queries Azure for all of the subscriptions and instances to which you
have access. They use the credentials you're currently signed in with
in Azure Pipelines (including Microsoft accounts and School or Work
accounts).
If you don't see the subscription you want to use, sign out of Azure Pipelines and sign in again using the appropriate account credentials.
Manual subscription pipeline. In this mode, you must specify the
service principal you want to use to connect to Azure. The service
principal specifies the resources and the access levels that are
available over the connection.
For more information, you could refer to Azure Resource Manager service connection.
I am trying to upload build apk file in DigitalOcean by using Azure DevOps.
In AzureDevops,we have task called DigitalOcean Tools by using this we can upload the files in DigitalOcean.Below is the link for your reference.
https://marketplace.visualstudio.com/items?itemName=marcelo-formentao.digitalocean-tools&ssr=false#overview
I installed that task in my organization.
First it will ask for to create DigitalOcean Connection by using service endpoint in azure devops.
I Search in Service endpoint in Azure DevOps i didn't find Service connection for Digital Ocean(apart that I found gitlab,ssh,azure..eg i found for all these Service Connection).
My Question is which service connector i need to used for Digital Ocean?
Please help me on this
DigitalOcean Connection: It's based on AWS configuration (only Access Key ID and Secret Key ID is required).
You can choose AWS connection type to create DigitalOcean service endpoint connection in Azure DevOps. And fill the Access Key ID and Secret Key ID that you can get from your DigitalOcean.
Result
UPDATE
If you didn't find AWS end point connection, you should install AWS Toolkit for Azure DevOps extension in marketplace.Url:AWS Toolkit for Azure DevOps
After installing the extension, you would see AWS connection type in your service connection.I test in my devops and it works.
I see that Service Connection is a link between Azure Pipelines and Azure Subscription to trigger Pipelines.
But can I create a Service Connection and get client id and secret and use that to obtain access token. And with that access token I can run the Azure Pipeline via c# code with REST APIs?
Is this what a service connection used for ?
But can I create a Service Connection and get client id and secret and
use that to obtain access token.
You can generate token via this, but you can't use it in C# code to run the pipeline.
Service connection between 'Azure Pipelines and Azure Subscription' just for you to create an app in AAD, this will also create related Enterprise App(service principal) in Azure portal side.
The service principal can be assigned permissions in the Azure portal to access resources. Once the service principal has access to a resource at the Azure Portal, the devops pipeline using the service connection associated with the service principal will also have the same access.
The original purpose of the above is service connection design is to allow the pipeline to have access to the resources at the portal.
Why we can't use the app's clientid and secret to get an access token to run the pipeline?
It is clearly in this official document:
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/authentication-guidance?view=azure-devops
The Azure DevOps API doesn't support non-interactive service access
via service principals.
We have a release pipeline that is failing with following message:
resource ID for resource type 'Microsoft.Web/Sites' and resource name
'appservicename'. Error: Could not fetch access token for Managed
Service Principal. Please configure Managed Service Identity (MSI) for
virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400,
status message: Bad Request
We have 2 different service connections:
Azure Resource Manager using service principal authentication
Azure Resource Manager using managed identity authentication
The first one works like a charm. However, because the developer wanted to limit admin access on the Azure AD, he tried creating a managed identity authentication service connection which at first glance, since it allowed us to select the App Service, appeared to indicate it's working, until an actual deployment was triggered and it failed per the error message above.
After numerous searches online, I think this answer may be the clue to why this is failing with the managed identity authentication service connection yet succeeding with the service principal connection just fine.
I just want to confirm, is this truly the case? that a hosted agent doesn't support MSI based authentication, which is what we are using… or has that changed?
We are indeed using Microsoft agent pool.
It doesn't make sense for our app service to use a VM at this time. The use case just isn't applicable for the dashboards we have.
As it is written in the docs:
You are required to use a self-hosted agent on an Azure VM in order to use managed service identity
I assume that it was alway like that. Here we are talking abut MSI assigned to VM which serves as build agent. Not MSI which is identity of App Service. Why? Service Connection is an abstraction which makes easy authentication to your Azure Subscription. So it gives identity to VM and then when your perform some action against your Azure thanks to MSI Azure know that can perform that action. Another aption is authentication via Service Principal, but thi can be done from any VM (inlcuding MS Hosted) because it relies on Client Id and Client secret which is kept in service connections. And MSI have to be assigned to particular VM which cannot be done with MS Hosted agents.
Is it possible to install a self-hosted agent using a managed service account (MSA)?
Or is password input required when setting the service account?
You couldn’t directly connect an azure devops agent to Azure Devops Service with MSA.
Azure Devops Service supports to use PAT or Alternate Credentials (‘alt’ authentication method).
Azure Devops On-premise also supports ‘negotiate’ authentication method (Kerberos or NTLM).
It could be useful to know that the PAT token is only used during the initial configuration of the agent.
When the PAT expires or needs to be renewed, the agent will remain connected without issues.
If the agent runs as service mode, you could also configure the “logon account” in local service or re-configure the agent.
Here is a doc about the agent auth-type.