CODEWITHSUNDEEP
pythonazureauthenticationgithubpytest
4c74356b41
4c74356b41

Reputation: 72171

Issues with azure.identity when using federated credentials

I'm running a GH actions pipeline which is configured to login Azure cli using federated credentials (and this works fine):

env:
  ARM_USE_OIDC: true

steps:
- name: az login
  uses: azure/login@v1
  with:
    client-id: ${{ env.ARM_CLIENT_ID }}
    tenant-id: ${{ env.ARM_TENANT_ID }}
    subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}

then I'm running pytest which does some python code, some TF runs, etc. plain Az Cli\TF calls using subprocess work, however when I'm using AzureCliCredential or DefaultAzureCredential calls to get_token fail with:

Output: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2023-12-19T07:20:31.3554289Z, assertion valid from 2023-12-19T05:59:24.0000000Z, expiry time of assertion 2023-12-19T06:04:24.0000000Z

The same code was working previously using certificate auth

EDIT: what was confusing me is the fact that the tokens I'm getting have proper lifetime, which doesnt match the error. what I'm thinking now is that the underlying OIDC token issued by Github has only 5 minutes of lifetime hence it doesnt matter if oAuth tokens have 1h lifetime

EDIT: related issues:
https://github.com/Azure/login/issues/372
https://github.com/Azure/login/issues/180

Upvotes: 2

Views: 3073

Answers (1)

4c74356b41
4c74356b41

Reputation: 72171

the underlying OIDC token issued by Github has only 5 minutes of lifetime hence it doesnt matter if oAuth tokens have 1h lifetime.

my workaround is to refresh Azure Cli auth everytime I need to use it until anything can be done about this (at least I dont see a way to extend token lifetime: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)

def get_azure_credentials():
    token_request = os.environ.get("ACTIONS_ID_TOKEN_REQUEST_TOKEN")
    token_uri = os.environ.get("ACTIONS_ID_TOKEN_REQUEST_URL")
    subprocess_helper(f'token=$(curl -H "Authorization: bearer {token_request}" "{token_uri}&audience=api://AzureADTokenExchange" | jq .value -r) && az login --service-principal -u {CLIENT_ID} -t {TENANT_ID} --federated-token $token')
    return AzureCliCredential()

ps. subprocess_helper is a wrapper around:

subprocess.run(["/bin/sh", "-c", run_me], stdout=subprocess.PIPE, stderr=subprocess.PIPE)

pps. if any1 knows a better solution - I'm up for it

Upvotes: 0

Related Questions