From b6ccc05d7e6dda62abba926fc8ec882f4bc6c66c Mon Sep 17 00:00:00 2001 From: Ladislau Szomoru <3372902+lszomoru@users.noreply.github.com> Date: Wed, 3 Jul 2024 16:55:49 +0200 Subject: [PATCH] Azure - create a custom chained token credential to place the AzureCLICredential prior to the ManagedIdentityCredential (#1009) --- src/auth.ts | 24 ++++++++++++++++++++++++ src/publish.ts | 3 ++- src/util.ts | 11 ----------- 3 files changed, 26 insertions(+), 12 deletions(-) create mode 100644 src/auth.ts diff --git a/src/auth.ts b/src/auth.ts new file mode 100644 index 00000000..0a5d9e38 --- /dev/null +++ b/src/auth.ts @@ -0,0 +1,24 @@ +import { AzureCliCredential, AzureDeveloperCliCredential, AzurePowerShellCredential, ChainedTokenCredential, EnvironmentCredential, ManagedIdentityCredential } from "@azure/identity"; + +function createChainedTokenCredential(): ChainedTokenCredential { + return new ChainedTokenCredential( + new EnvironmentCredential(), + new AzureCliCredential(), + new ManagedIdentityCredential({ clientId: process.env.AZURE_CLIENT_ID }), + new AzurePowerShellCredential({ tenantId: process.env.AZURE_TENANT_ID }), + new AzureDeveloperCliCredential({ tenantId: process.env.AZURE_TENANT_ID }) + ); +} + +export async function getAzureCredentialAccessToken(): Promise { + try { + const credential = createChainedTokenCredential() + const token = await credential.getToken('499b84ac-1321-427f-aa17-267ca6975798/.default', { + tenantId: process.env.AZURE_TENANT_ID + }); + + return token.token; + } catch (error) { + throw new Error('Can not acquire a Microsoft Entra ID access token. Additional information:\n\n' + error) + } +} diff --git a/src/publish.ts b/src/publish.ts index 2d07b61d..34411561 100644 --- a/src/publish.ts +++ b/src/publish.ts @@ -5,7 +5,7 @@ import { ExtensionQueryFlags, PublishedExtension } from 'azure-devops-node-api/i import { pack, readManifest, versionBump, prepublish, signPackage, createSignatureArchive } from './package'; import * as tmp from 'tmp'; import { IVerifyPatOptions, getPublisher } from './store'; -import { getGalleryAPI, read, getPublishedUrl, log, getHubUrl, patchOptionsWithManifest, getAzureCredentialAccessToken } from './util'; +import { getGalleryAPI, read, getPublishedUrl, log, getHubUrl, patchOptionsWithManifest } from './util'; import { Manifest } from './manifest'; import { readVSIXPackage } from './zip'; import { validatePublisher } from './validation'; @@ -13,6 +13,7 @@ import { GalleryApi } from 'azure-devops-node-api/GalleryApi'; import FormData from 'form-data'; import { basename } from 'path'; import { IterableBackoff, handleWhen, retry } from 'cockatiel'; +import { getAzureCredentialAccessToken } from './auth'; const tmpName = promisify(tmp.tmpName); diff --git a/src/util.ts b/src/util.ts index f7e01376..282e713a 100644 --- a/src/util.ts +++ b/src/util.ts @@ -7,7 +7,6 @@ import { PublicGalleryAPI } from './publicgalleryapi'; import { ISecurityRolesApi } from 'azure-devops-node-api/SecurityRolesApi'; import { Manifest } from './manifest'; import { EOL } from 'os'; -import { DefaultAzureCredential } from '@azure/identity'; const __read = promisify<_read.Options, string>(_read); export function read(prompt: string, options: _read.Options = {}): Promise { @@ -51,16 +50,6 @@ export function getPublicGalleryAPI() { return new PublicGalleryAPI(marketplaceUrl, '3.0-preview.1'); } -export async function getAzureCredentialAccessToken(): Promise { - try { - const credential = new DefaultAzureCredential(); - const token = await credential.getToken('499b84ac-1321-427f-aa17-267ca6975798/.default'); - return token.token; - } catch (error) { - throw new Error('Can not acquire a Microsoft Entra ID access token. Additional information:\n\n' + error) - } -} - export function normalize(path: string): string { return path.replace(/\\/g, '/'); }