From a3a707fe0012a813236bf9176a6b9c0fc563539b Mon Sep 17 00:00:00 2001 From: Aidan Feldman Date: Fri, 18 Oct 2024 16:47:57 -0600 Subject: [PATCH 1/3] support authenticating with a service principal in Linux --- docs/pipelines/agents/docker.md | 38 +++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/docs/pipelines/agents/docker.md b/docs/pipelines/agents/docker.md index e1ca0760eb0..f520aae5762 100644 --- a/docs/pipelines/agents/docker.md +++ b/docs/pipelines/agents/docker.md @@ -218,9 +218,9 @@ Next, create the Dockerfile. 4. Save the following content to `~/azp-agent-in-docker/azp-agent-linux.dockerfile`: - * For Alpine: + * For Alpine, using the technique described in [this issue](https://github.com/Azure/azure-cli/issues/19591): ```dockerfile - FROM alpine + FROM python:3-alpine ENV TARGETARCH="linux-musl-x64" # Another option: @@ -229,7 +229,11 @@ Next, create the Dockerfile. RUN apk update RUN apk upgrade - RUN apk add bash curl git icu-libs jq + RUN apk add bash curl gcc git icu-libs jq musl-dev python3-dev libffi-dev openssl-dev cargo make + + # Install Azure CLI + RUN pip install --upgrade pip + RUN pip install azure-cli WORKDIR /azp/ @@ -255,6 +259,9 @@ Next, create the Dockerfile. RUN apt upgrade -y RUN apt install -y curl git jq libicu70 + # Install Azure CLI + RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash + WORKDIR /azp/ COPY ./start.sh ./ @@ -293,6 +300,14 @@ Next, create the Dockerfile. exit 1 fi + if [ -n "$AZP_CLIENTID" ]; then + echo "Using service principal credentials to get token" + az login --allow-no-subscriptions --service-principal --username "$AZP_CLIENTID" --password "$AZP_CLIENTSECRET" --tenant "$AZP_TENANTID" + # adapted from https://learn.microsoft.com/en-us/azure/databricks/dev-tools/user-aad-token + AZP_TOKEN=$(az account get-access-token --query accessToken --output tsv) + echo "Token retrieved" + fi + if [ -z "${AZP_TOKEN_FILE}" ]; then if [ -z "${AZP_TOKEN}" ]; then echo 1>&2 "error: missing AZP_TOKEN environment variable" @@ -303,6 +318,7 @@ Next, create the Dockerfile. echo -n "${AZP_TOKEN}" > "${AZP_TOKEN_FILE}" fi + unset AZP_CLIENTSECRET unset AZP_TOKEN if [ -n "${AZP_WORK}" ]; then @@ -421,11 +437,25 @@ You can control the agent name, the agent pool, and the agent work directory by | Environment variable | Description | |----------------------|--------------------------------------------------------------| | AZP_URL | The URL of the Azure DevOps or Azure DevOps Server instance. | -| AZP_TOKEN | [Personal Access Token (PAT)](../../organizations/accounts/use-personal-access-tokens-to-authenticate.md) with **Agent Pools (read, manage)** scope, created by a user who has permission to [configure agents](pools-queues.md#create-agent-pools), at `AZP_URL`. | +| AZP_TOKEN | [Personal Access Token (PAT)](../../organizations/accounts/use-personal-access-tokens-to-authenticate.md) | +| AZP_CLIENTID | [Service principal](../../pipelines/agents/service-principal-agent-registration.md) client ID | +| AZP_CLIENTSECRET | Service principal client secret | +| AZP_TENANTID | Service principal tenant ID | | AZP_AGENT_NAME | Agent name (default value: the container hostname). | | AZP_POOL | Agent pool name (default value: `Default`). | | AZP_WORK | Work directory (default value: `_work`). | +### Authentication + +One of the following is required: + +- If using a PAT: `AZP_TOKEN` +- If using a service principal: `AZP_CLIENTID`, `AZP_CLIENTSECRET`, and `AZP_TENANTID` + +### Authorization + +The token or service principal must have the **Agent Pools (read, manage)** scope at the Organization level of `AZP_URL`. If using a PAT, the token must be created by a user who has permission to [configure agents](pools-queues.md#create-agent-pools). + ## Add tools and customize the container You have created a basic build agent. From 1e5795b52f5840f1f202f2549dbd87ca207a2a56 Mon Sep 17 00:00:00 2001 From: Aidan Feldman Date: Mon, 21 Oct 2024 09:57:18 -0600 Subject: [PATCH 2/3] run package update+upgrade with installs in Docker Following [their best practice](https://docs.docker.com/build/building/best-practices/#apt-get). --- docs/pipelines/agents/docker.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/pipelines/agents/docker.md b/docs/pipelines/agents/docker.md index f520aae5762..ba71ffa43db 100644 --- a/docs/pipelines/agents/docker.md +++ b/docs/pipelines/agents/docker.md @@ -227,9 +227,9 @@ Next, create the Dockerfile. # FROM arm64v8/alpine # ENV TARGETARCH="linux-musl-arm64" - RUN apk update - RUN apk upgrade - RUN apk add bash curl gcc git icu-libs jq musl-dev python3-dev libffi-dev openssl-dev cargo make + RUN apk update && \ + apk upgrade && \ + apk add bash curl gcc git icu-libs jq musl-dev python3-dev libffi-dev openssl-dev cargo make # Install Azure CLI RUN pip install --upgrade pip @@ -255,9 +255,9 @@ Next, create the Dockerfile. ENV TARGETARCH="linux-x64" # Also can be "linux-arm", "linux-arm64". - RUN apt update - RUN apt upgrade -y - RUN apt install -y curl git jq libicu70 + RUN apt update && \ + apt upgrade -y && \ + apt install -y curl git jq libicu70 # Install Azure CLI RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash From e588588a1fd0211dc996bcbdf9e53ba814685bdd Mon Sep 17 00:00:00 2001 From: Aidan Feldman Date: Mon, 21 Oct 2024 10:10:21 -0600 Subject: [PATCH 3/3] add comment about use of a service principal token for the Docker agent --- docs/pipelines/agents/docker.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/pipelines/agents/docker.md b/docs/pipelines/agents/docker.md index ba71ffa43db..7e7c92f2001 100644 --- a/docs/pipelines/agents/docker.md +++ b/docs/pipelines/agents/docker.md @@ -378,6 +378,7 @@ Next, create the Dockerfile. print_header "3. Configuring Azure Pipelines agent..." + # Despite it saying "PAT", it can be the token through the service principal ./config.sh --unattended \ --agent "${AZP_AGENT_NAME:-$(hostname)}" \ --url "${AZP_URL}" \