From e3823f9e40bc98e581b1f7f0206dfa4223d50f25 Mon Sep 17 00:00:00 2001 From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com> Date: Tue, 10 Feb 2026 10:48:41 +0000 Subject: [PATCH 1/4] oidc vars to devcontainer --- .../devcontainer_run_command/action.yml | 16 ++++---------- CHANGELOG.md | 1 + devops/scripts/bootstrap_azure_env.sh | 22 ++++--------------- 3 files changed, 9 insertions(+), 30 deletions(-) diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml index 07182e98f..e562afd31 100644 --- a/.github/actions/devcontainer_run_command/action.yml +++ b/.github/actions/devcontainer_run_command/action.yml @@ -223,17 +223,6 @@ runs: run: | echo "ACR_DOMAIN_SUFFIX=$(az cloud show --query suffixes.acrLoginServerEndpoint --output tsv)" >> $GITHUB_ENV - - name: Get GitHub OIDC Token - id: get_oidc_token - shell: bash - run: | - # Request the GitHub OIDC token for federated authentication - OIDC_TOKEN=$(curl -sLS "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://AzureADTokenExchange" -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" -H "Accept: application/json; api-version=2.0" | jq -r '.value') - - # Write token to a temporary file for safe transport into container - echo "$OIDC_TOKEN" > /tmp/github_oidc_token - chmod 600 /tmp/github_oidc_token - - name: Run command in DevContainer shell: bash run: | @@ -250,7 +239,7 @@ runs: "type=bind,src=${{ github.workspace }},dst=/workspaces/tre" \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "./command.sh:/workspaces/tre/command.sh" \ - -v "/tmp/github_oidc_token:/tmp/github_oidc_token:ro" \ + -v "$HOME/.azure:/home/vscode/.azure" \ --workdir /workspaces/tre \ --user vscode \ -e TF_INPUT="0" \ @@ -267,6 +256,9 @@ runs: -e ARM_CLIENT_ID="${{ inputs.AZURE_CLIENT_ID }}" \ -e ARM_TENANT_ID="${{ inputs.AZURE_TENANT_ID }}" \ -e ARM_SUBSCRIPTION_ID="${{ inputs.AZURE_SUBSCRIPTION_ID }}" \ + -e ARM_USE_OIDC="true" \ + -e ACTIONS_ID_TOKEN_REQUEST_URL \ + -e ACTIONS_ID_TOKEN_REQUEST_TOKEN \ -e TF_VAR_terraform_state_container_name="${{ (inputs.TERRAFORM_STATE_CONTAINER_NAME != '' && inputs.TERRAFORM_STATE_CONTAINER_NAME) || 'tfstate' }}" \ -e TF_VAR_mgmt_storage_account_name="${{ inputs.MGMT_STORAGE_ACCOUNT_NAME }}" \ diff --git a/CHANGELOG.md b/CHANGELOG.md index 009ae0ff8..55f6eee60 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ ENHANCEMENTS: * Add interactive browser login method to TRE CLI for easier authentication ([#4856](https://github.com/microsoft/AzureTRE/issues/4856)) * Harden security of the app gateway. ([#4863](https://github.com/microsoft/AzureTRE/pull/4863)) +* Pass OIDC vars directly to the devcontainer ([#4870](https://github.com/microsoft/AzureTRE/issues/4870)) BUG FIXES: * Fix property substitution not occuring where there is only a main step in the pipeline ([#4824](https://github.com/microsoft/AzureTRE/issues/4824)) diff --git a/devops/scripts/bootstrap_azure_env.sh b/devops/scripts/bootstrap_azure_env.sh index 59c10b27b..51310d813 100755 --- a/devops/scripts/bootstrap_azure_env.sh +++ b/devops/scripts/bootstrap_azure_env.sh @@ -28,26 +28,12 @@ load_environment_config() { ensure_automation_login() { if [[ -n "${TF_IN_AUTOMATION:-}" ]]; then - az cloud set --name "${AZURE_ENVIRONMENT}" - - # Use OIDC-based login for GitHub Actions - if [[ -f "/tmp/github_oidc_token" ]]; then - # Use the GitHub OIDC token from file for federated authentication - az login --service-principal \ - --username "${ARM_CLIENT_ID}" \ - --tenant "${ARM_TENANT_ID}" \ - --allow-no-subscriptions \ - --federated-token "$(cat /tmp/github_oidc_token)" - elif [[ -n "${ARM_CLIENT_SECRET:-}" ]]; then - # Fallback to classic service principal login (for backwards compatibility) - echo "Warning: Using classic service principal authentication. Consider migrating to OIDC." + if [[ -n "${ARM_CLIENT_SECRET:-}" ]]; then + echo "Warning: Using classic service principal authentication." + az cloud set --name "${AZURE_ENVIRONMENT}" az login --service-principal -u "${ARM_CLIENT_ID}" -p "${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}" - else - echo "Error: No authentication method available (OIDC token or client secret required)" - exit 1 + az account set -s "${ARM_SUBSCRIPTION_ID}" fi - - az account set -s "${ARM_SUBSCRIPTION_ID}" fi } From 122c0f44834cad8d2bad6e0b6fa4eebcc108da28 Mon Sep 17 00:00:00 2001 From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com> Date: Tue, 10 Feb 2026 10:53:30 +0000 Subject: [PATCH 2/4] changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 55f6eee60..11ea8f59a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ ENHANCEMENTS: * Add interactive browser login method to TRE CLI for easier authentication ([#4856](https://github.com/microsoft/AzureTRE/issues/4856)) * Harden security of the app gateway. ([#4863](https://github.com/microsoft/AzureTRE/pull/4863)) -* Pass OIDC vars directly to the devcontainer ([#4870](https://github.com/microsoft/AzureTRE/issues/4870)) +* Pass OIDC vars directly to the devcontainer ([#4871c](https://github.com/microsoft/AzureTRE/issues/4871)) BUG FIXES: * Fix property substitution not occuring where there is only a main step in the pipeline ([#4824](https://github.com/microsoft/AzureTRE/issues/4824)) From 6669c910710607ef2dcd37e60db1d304a54074c3 Mon Sep 17 00:00:00 2001 From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com> Date: Tue, 10 Feb 2026 13:21:31 +0000 Subject: [PATCH 3/4] remove use_cli --- devops/scripts/bootstrap_azure_env.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/devops/scripts/bootstrap_azure_env.sh b/devops/scripts/bootstrap_azure_env.sh index 51310d813..3b0868cbc 100755 --- a/devops/scripts/bootstrap_azure_env.sh +++ b/devops/scripts/bootstrap_azure_env.sh @@ -53,11 +53,6 @@ set_account_context() { export ARM_STORAGE_USE_AZUREAD=true export ARM_USE_AZUREAD=true - # Force Terraform to use Azure CLI authentication. GitHub Actions OIDC - # (federated) tokens are short-lived and are not reliably available inside - # the devcontainer after their initial lifetime, which can cause Terraform - # authentication to fail. Using ARM_USE_CLI=true avoids this issue. - export ARM_USE_CLI=true echo -e "\e[34m»»» 🔨 \e[96mAzure details from logged on user \e[0m" echo -e "\e[34m»»» • \e[96mSubscription: \e[33m${subscription_name}\e[0m" From c1ead67b4d8e35817d60a722a24d6e144619b5ee Mon Sep 17 00:00:00 2001 From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com> Date: Tue, 10 Feb 2026 15:25:08 +0200 Subject: [PATCH 4/4] Update CHANGELOG.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 11ea8f59a..e9da0f3fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ ENHANCEMENTS: * Add interactive browser login method to TRE CLI for easier authentication ([#4856](https://github.com/microsoft/AzureTRE/issues/4856)) * Harden security of the app gateway. ([#4863](https://github.com/microsoft/AzureTRE/pull/4863)) -* Pass OIDC vars directly to the devcontainer ([#4871c](https://github.com/microsoft/AzureTRE/issues/4871)) +* Pass OIDC vars directly to the devcontainer ([#4871](https://github.com/microsoft/AzureTRE/issues/4871)) BUG FIXES: * Fix property substitution not occuring where there is only a main step in the pipeline ([#4824](https://github.com/microsoft/AzureTRE/issues/4824))