我看过一些相关的问题和答案,但没有一个能完全解决我正在寻找的问题。
我正在设置一个 Github Actions 工作流程,该工作流程使用更有限的服务主体来登录 Azure(这些初始凭据存储在 Github Actions 秘密 GUI 中),然后查询 Azure KeyVault 以获取实际的项目贡献者服务主体的凭据使用我们的 Azure 订阅进行操作。
它看起来像这样:
on:
push:
branches: ["prod"]
workflow_dispatch:
jobs:
azure_login_tests:
runs-on: ubuntu-latest
steps:
- name: 'Checkout source code'
uses: actions/checkout@v4
- name: Login to Azure with Login Service Principal
uses: Azure/login@v1
with:
creds: ${{ secrets.AZURELOGINSP }}
- name: Get Project Contributor SP Key Vault Secret
id: "query_key_vault_for_secret"
run:
project_sp_client_id=$(az keyvault secret show --name "Project-SP-Client-ID" --vault-name "MyVault" --query value -o tsv)
project_sp_secret_value=$(az keyvault secret show --name "Project-SP-SECRET-VALUE" --vault-name "MyVault" --query value -o tsv)
subscription_id=$(az keyvault secret show --name "Subscription-ID" --vault-name "MyVault" --query value -o tsv)
tenant_id=$(az keyvault secret show --name "Tenant-ID" --vault-name "MyVault" --query value -o tsv)
project_sp_creds_json=$(cat <<EOF
{'client-id':'$project_sp_client_id',
'client-secret':'$project_sp_secret_value',
'subscription-id':'$subscription_id',
'tenant-id':'$tenant_id'}
EOF
)
# also tried
# project_sp_creds_json="{'client-id':'$project_sp_client_id','client-secret':'$project_sp_secret_value','subscription-id':'$subscription_id','tenant-id':'$tenant_id'}"
echo "PROJECTSPCREDSJSON=$project_sp_creds_json" >> "$GITHUB_OUTPUT"
- name: Re-Login to Azure using Project SP
uses: Azure/login@v1
with:
creds: ${{ steps.query_key_vault_for_secret.output.PROJECTSPCREDSJSON }}
我使用此代码时遇到json解析错误,例如:
Error: Login failed with Error: Content is not a valid JSON object.
Double check if the 'auth-type' is correct. Refer to
https://github.com/Azure/login#readme for more information.
或
Invalid format ' 'client-id': '***', '
如何修复我的 json,或者将输出发送到 $GITHUB_OUTPUT 等的方式来解决这个问题?
我有一个完全不涉及使用 json 的解决方案,但如果我可以使用
Azure/login
Github Action,我仍然非常感兴趣。
通过将此本机
az login
代码添加到 KeyVault 查询步骤的末尾(效果很好),我可以持续登录到项目贡献者服务主体,然后完全省略登录步骤:
az login --service-principal -u $project_sp_client_id -p $project_sp_secret_value --tenant $tenant_id
总的来说,这看起来像:
on:
push:
branches: ["prod"]
workflow_dispatch:
jobs:
azure_login_tests:
runs-on: ubuntu-latest
steps:
- name: 'Checkout source code'
uses: actions/checkout@v4
- name: Login to Azure with Login Service Principal
uses: Azure/login@v1
with:
creds: ${{ secrets.AZURELOGINSP }}
- name: Get Project Contributor SP Key Vault Secret, then Login again
id: "query_key_vault_and_login_to_project_sp"
uses: azure/cli@v2
with:
azcliversion: 2.30.0
inlinescript: |
project_sp_client_id=$(az keyvault secret show --name "Project-SP-Client-ID" --vault-name "MyVault" --query value -o tsv)
project_sp_secret_value=$(az keyvault secret show --name "Project-SP-SECRET-VALUE" --vault-name "MyVault" --query value -o tsv)
# subscription_id=$(az keyvault secret show --name "Subscription-ID" --vault-name "MyVault" --query value -o tsv) # unnecessary
tenant_id=$(az keyvault secret show --name "Tenant-ID" --vault-name "MyVault" --query value -o tsv)
az login --service-principal -u $project_sp_client_id -p $project_sp_secret_value --tenant $tenant_id