Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authentication issues #146

Closed
gleb-boushev-effem opened this issue Jan 1, 2024 · 5 comments · Fixed by #157
Closed

authentication issues #146

gleb-boushev-effem opened this issue Jan 1, 2024 · 5 comments · Fixed by #157
Labels
question Further information is requested

Comments

@gleb-boushev-effem
Copy link

gleb-boushev-effem commented Jan 1, 2024
edited
Loading

trying to integrate into the GH actions pipeline I'm getting the following:

Error: describe-key command failed: ERROR: Azure CLI authentication failed due to an unknown error. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/azclicredential/troubleshoot ERROR: Tenant shouldn't be specified for managed identity account

I'm seeing in the code its using DefaultAzureCredential and, somehow, fails at the cli auth. I do use az login --identity --username xyz for managed identity login and the agent itself is also capable of doing OIDC auth, yet somehow it still fails.

to clarify: az acr login works in the same job and i can succesfully push to the acr

Also looking at the code there appears to be no way to tweak the way you login (or pass existing token)
@yizha1
Copy link
Collaborator

yizha1 commented Jan 2, 2024

@JeyJeyGao Would you mind taking a look at this issue?

@gleb-boushev-effem Are you using notation GitHub actions ? @FeynmanZhou would you mind sharing the guideline on GitHub actions with AKV plugin experience?

@FeynmanZhou
Copy link
Member

FeynmanZhou commented Jan 2, 2024
edited
Loading

Hi @gleb-boushev-effem ,

There are two ways to connect GitHub Actions with your ACR and AKV:

Could you please try to follow this guideline to authenticate Azure services and use Notation GH Action?

@FeynmanZhou FeynmanZhou added the question Further information is requested label Jan 2, 2024
@JeyJeyGao
Copy link
Collaborator

Hi @gleb-boushev-effem , could you provide more context about this issue? The ManagedIdentityCredential is designed to work on various Azure hosts that provide a managed identity. However, I want to reproduce the issue but am not sure how to use managed identity on GitHub action agents.

@JeyJeyGao
Copy link
Collaborator

Hi @gleb-boushev-effem, I found a potentially related issue that was fixed in Azure.Identity. Therefore, I bumped up the version of Azure.Identity and created a private release. Please give it a try.

If it doesn't work, could you try a different authentication method provided by @FeynmanZhou , or provide detailed steps to reproduce the issue?

Thank you!

@yizha1
Copy link
Collaborator

yizha1 commented Mar 6, 2024

@gleb-boushev-effem Would you mind providing any update on whether the private release from @JeyJeyGao solves your problem?

@JeyJeyGao JeyJeyGao mentioned this issue Mar 28, 2024
Merged
JeyJeyGao added a commit that referenced this issue Apr 11, 2024
@JeyJeyGao
feat: add credential_type plugin config (#157)
53bdb04 
Feat:
- added creential_type plugin config key
- supported credential type: default, environment, managedidentity,
azurecli

Test:
- unit test cases
- e2e test cases
- tested environment credential, workload identity credential, managed
identity in pod of AKS
- tested Azure cli credential locally

Resolves #146 #154 
Signed-off-by: Junjie Gao <[email protected]>

---------

Signed-off-by: Junjie Gao <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add credential_type plugin config Azure/notation-azure-kv
4 participants
@FeynmanZhou @JeyJeyGao @yizha1 @gleb-boushev-effem