Skip to content

ADR for enabling CodeOps processes against Azure DevOps #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JamesDawson wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ADR for enabling CodeOps processes against Azure DevOps #41

JamesDawson wants to merge 1 commit into from

Conversation

@JamesDawson
Copy link
Contributor

@JamesDawson JamesDawson commented Mar 3, 2021

No description provided.

MikeEvansLarah
MikeEvansLarah reviewed Mar 3, 2021
View reviewed changes
docs/adr/0002-automating-azure-devops-management-tasks.md
### Service Account
Whilst it would be trivial to setup a dedicated AAD user account with the required permissions to run the process, such an identity cannot always be used to natively execute a pipeline within CI/CD tools (e.g. Azure DevOps, GitHub Actions).

Therefore it would be necessary for the pipeline to perform a 'runas' operation when communicating with the Azure DevOps REST API. This in turn means that the credential for this user needs to be retrievable (e.g. from key vault), but this clashes with the goal to minimise the surface area for attacking the trusted identity's credential.
Copy link
Contributor

@MikeEvansLarah MikeEvansLarah Mar 3, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this differ from the the need to retrieve the credentials for the service principal that the pipeline operates as?

Copy link
Contributor Author

@JamesDawson JamesDawson Mar 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The credentials for the service principal only need to be known at the point that the service connection is registered, after that, ADO handles storing the credentials and making them available to pipeline.

Those concerns, as they relate to this additional identity, would get pushed down into the pipeline process itself (e.g. the codeops script).

Copy link
Contributor

@MikeEvansLarah MikeEvansLarah Mar 5, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you create a generic service connection for the service account and handle it in a similar way?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MikeEvansLarah MikeEvansLarah MikeEvansLarah left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JamesDawson @MikeEvansLarah