ADR for enabling CodeOps processes against Azure DevOps#41
Open
JamesDawson wants to merge 1 commit intomasterfrom
Open
ADR for enabling CodeOps processes against Azure DevOps#41JamesDawson wants to merge 1 commit intomasterfrom
JamesDawson wants to merge 1 commit intomasterfrom
Conversation
| ### Service Account | ||
| Whilst it would be trivial to setup a dedicated AAD user account with the required permissions to run the process, such an identity cannot always be used to natively execute a pipeline within CI/CD tools (e.g. Azure DevOps, GitHub Actions). | ||
|
|
||
| Therefore it would be necessary for the pipeline to perform a 'runas' operation when communicating with the Azure DevOps REST API. This in turn means that the credential for this user needs to be retrievable (e.g. from key vault), but this clashes with the goal to minimise the surface area for attacking the trusted identity's credential. |
Contributor
There was a problem hiding this comment.
How does this differ from the the need to retrieve the credentials for the service principal that the pipeline operates as?
Contributor
Author
There was a problem hiding this comment.
The credentials for the service principal only need to be known at the point that the service connection is registered, after that, ADO handles storing the credentials and making them available to pipeline.
Those concerns, as they relate to this additional identity, would get pushed down into the pipeline process itself (e.g. the codeops script).
Contributor
There was a problem hiding this comment.
Could you create a generic service connection for the service account and handle it in a similar way?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.