diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml index 07182e98f..e562afd31 100644 --- a/.github/actions/devcontainer_run_command/action.yml +++ b/.github/actions/devcontainer_run_command/action.yml @@ -223,17 +223,6 @@ runs: run: | echo "ACR_DOMAIN_SUFFIX=$(az cloud show --query suffixes.acrLoginServerEndpoint --output tsv)" >> $GITHUB_ENV - - name: Get GitHub OIDC Token - id: get_oidc_token - shell: bash - run: | - # Request the GitHub OIDC token for federated authentication - OIDC_TOKEN=$(curl -sLS "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://AzureADTokenExchange" -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" -H "Accept: application/json; api-version=2.0" | jq -r '.value') - - # Write token to a temporary file for safe transport into container - echo "$OIDC_TOKEN" > /tmp/github_oidc_token - chmod 600 /tmp/github_oidc_token - - name: Run command in DevContainer shell: bash run: | @@ -250,7 +239,7 @@ runs: "type=bind,src=${{ github.workspace }},dst=/workspaces/tre" \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "./command.sh:/workspaces/tre/command.sh" \ - -v "/tmp/github_oidc_token:/tmp/github_oidc_token:ro" \ + -v "$HOME/.azure:/home/vscode/.azure" \ --workdir /workspaces/tre \ --user vscode \ -e TF_INPUT="0" \ @@ -267,6 +256,9 @@ runs: -e ARM_CLIENT_ID="${{ inputs.AZURE_CLIENT_ID }}" \ -e ARM_TENANT_ID="${{ inputs.AZURE_TENANT_ID }}" \ -e ARM_SUBSCRIPTION_ID="${{ inputs.AZURE_SUBSCRIPTION_ID }}" \ + -e ARM_USE_OIDC="true" \ + -e ACTIONS_ID_TOKEN_REQUEST_URL \ + -e ACTIONS_ID_TOKEN_REQUEST_TOKEN \ -e TF_VAR_terraform_state_container_name="${{ (inputs.TERRAFORM_STATE_CONTAINER_NAME != '' && inputs.TERRAFORM_STATE_CONTAINER_NAME) || 'tfstate' }}" \ -e TF_VAR_mgmt_storage_account_name="${{ inputs.MGMT_STORAGE_ACCOUNT_NAME }}" \ diff --git a/CHANGELOG.md b/CHANGELOG.md index 009ae0ff8..e9da0f3fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ ENHANCEMENTS: * Add interactive browser login method to TRE CLI for easier authentication ([#4856](https://github.com/microsoft/AzureTRE/issues/4856)) * Harden security of the app gateway. ([#4863](https://github.com/microsoft/AzureTRE/pull/4863)) +* Pass OIDC vars directly to the devcontainer ([#4871](https://github.com/microsoft/AzureTRE/issues/4871)) BUG FIXES: * Fix property substitution not occuring where there is only a main step in the pipeline ([#4824](https://github.com/microsoft/AzureTRE/issues/4824)) diff --git a/devops/scripts/bootstrap_azure_env.sh b/devops/scripts/bootstrap_azure_env.sh index 59c10b27b..3b0868cbc 100755 --- a/devops/scripts/bootstrap_azure_env.sh +++ b/devops/scripts/bootstrap_azure_env.sh @@ -28,26 +28,12 @@ load_environment_config() { ensure_automation_login() { if [[ -n "${TF_IN_AUTOMATION:-}" ]]; then - az cloud set --name "${AZURE_ENVIRONMENT}" - - # Use OIDC-based login for GitHub Actions - if [[ -f "/tmp/github_oidc_token" ]]; then - # Use the GitHub OIDC token from file for federated authentication - az login --service-principal \ - --username "${ARM_CLIENT_ID}" \ - --tenant "${ARM_TENANT_ID}" \ - --allow-no-subscriptions \ - --federated-token "$(cat /tmp/github_oidc_token)" - elif [[ -n "${ARM_CLIENT_SECRET:-}" ]]; then - # Fallback to classic service principal login (for backwards compatibility) - echo "Warning: Using classic service principal authentication. Consider migrating to OIDC." + if [[ -n "${ARM_CLIENT_SECRET:-}" ]]; then + echo "Warning: Using classic service principal authentication." + az cloud set --name "${AZURE_ENVIRONMENT}" az login --service-principal -u "${ARM_CLIENT_ID}" -p "${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}" - else - echo "Error: No authentication method available (OIDC token or client secret required)" - exit 1 + az account set -s "${ARM_SUBSCRIPTION_ID}" fi - - az account set -s "${ARM_SUBSCRIPTION_ID}" fi } @@ -67,11 +53,6 @@ set_account_context() { export ARM_STORAGE_USE_AZUREAD=true export ARM_USE_AZUREAD=true - # Force Terraform to use Azure CLI authentication. GitHub Actions OIDC - # (federated) tokens are short-lived and are not reliably available inside - # the devcontainer after their initial lifetime, which can cause Terraform - # authentication to fail. Using ARM_USE_CLI=true avoids this issue. - export ARM_USE_CLI=true echo -e "\e[34m»»» 🔨 \e[96mAzure details from logged on user \e[0m" echo -e "\e[34m»»» • \e[96mSubscription: \e[33m${subscription_name}\e[0m"