[英]How do I authenticate using a managed identity from gitlab-ci to push a docker container from gitlab registry to Azure web service?
I have researched the way to push docker images from gitlab container registry to an azure resource: Pushing Docker image from gitlab-ci to Azure Container Registry I have researched the way to push docker images from gitlab container registry to an azure resource: Pushing Docker image from gitlab-ci to Azure Container Registry
I have also found the documentation to create managed identities (both system-assigned and user-assigned ) in the Azure docs我还在Azure 文档中找到了创建托管标识(系统分配和用户分配)的文档
I am missing to connect the dots on how I can use az login —-identity
in a gitlab-ci.yml
file to access an azure app service .我缺少关于如何在gitlab-ci.yml
文件中使用az login —-identity
来访问azure 应用服务的要点。 The purpose is to push a docker image from gitlab container registry .目的是从gitlab 容器注册表推送docker镜像。
az login —-service-principal
a more secure way to do this?如果是,那么az login —-service-principal
是一种更安全的方法吗? Or any other authentication procedure?或任何其他身份验证程序? ssh
? ssh
?Thank you for your help in advance!提前谢谢你的帮助!
You can use a GitLab CI Job JWT token to login to Azure from within a CI/CD pipeline without needing to store secrets in a GitLab project. You can use a GitLab CI Job JWT token to login to Azure from within a CI/CD pipeline without needing to store secrets in a GitLab project. In order to do this, you will also need to configure OpenID Connect (OIDC) for ID federation between GitLab and an Azure service principal.为此,您还需要为 GitLab 和 Azure 服务主体之间的 ID 联合配置 OpenID Connect (OIDC)。 This is recommended by Microsoft for authenticating to Azure from CI/CD services, among other use cases.这是 Microsoft 推荐的,用于从 CI/CD 服务以及其他用例对 Azure 进行身份验证。
Note: Using OIDC as described below will only work if you are using gitlab.com or a publicly reachable GitLab instance.注意:仅当您使用 gitlab.com 或可公开访问的 GitLab 实例时,才能使用如下所述的 OIDC。 This is because Azure needs to connect to the token issuer for the keys to validate the token.这是因为 Azure 需要连接到令牌颁发者以获取密钥以验证令牌。 If you are self-hosting GitLab and your instance is not publicly accessible, you can choose a different credential type for step 2.如果您是自托管 GitLab 并且您的实例不可公开访问,您可以为步骤 2 选择不同的凭证类型。
First, you will need to register an Application in Azure.首先,您需要在 Azure 中注册一个应用程序。 You can do this by following these instructions to register an application and create a service principal.您可以按照这些说明注册应用程序并创建服务主体来执行此操作。
After doing this, make note of the values for Application (client) ID and Directory (tenant) ID (found in the application Overview pane).完成此操作后,记下应用程序(客户端)ID和目录(租户)ID的值(在应用程序概览窗格中找到)。 These values will be needed for step 3.第 3 步将需要这些值。
Once your app is registered, you can add federated credentials to the application's service principal.注册应用程序后,您可以将联合凭据添加到应用程序的服务主体。 In the Azure portal, go to registered apps -> your application .在 Azure 门户中,go 到已注册的应用程序->您的应用程序。 In the sidebar, select Certificates & secrets .在侧边栏中, select Certificates & secrets 。 Under the Federated credentials tab, click the "Add credential" button在联合凭据选项卡下,单击“添加凭据”按钮
Use the following parameters for the credential configuration:使用以下参数进行凭证配置:
Federated credential sceanrio : Other issuer联合凭证场景:其他颁发者
Issuer : your gitlab URL eg https://gitlab.example.com
发行者:您的 gitlab URL 例如https://gitlab.example.com
Subject Identifier : The value of the sub
claim to match.主题标识符:要匹配的sub
声明的值。 For example, to allow jobs on the main
branch of the contoso/myproject
project to use this service principal, use project_path:contoso/myproject:ref_type:branch:ref:main
例如,要允许contoso/myproject
项目的main
分支上的作业使用此服务主体,请使用project_path:contoso/myproject:ref_type:branch:ref:main
Name : Any descriptive name for the federated credental (eg contoso-myproject-main
)名称:联合凭据的任何描述性名称(例如contoso-myproject-main
)
Description : Optional, a description for the federated credential.描述:可选,联合凭证的描述。
Audience : your GitLab URL eg https://gitlab.example.com
观众:您的 GitLab URL 例如https://gitlab.example.com
After the federated credentials are created, you can leverage the CI_JOB_JWT_V2
token in your job to authenticate with Azure.创建联合凭证后,您可以利用作业中的CI_JOB_JWT_V2
令牌向 Azure 进行身份验证。 In this example, we'll use the Azure CLI ( az login
).在此示例中,我们将使用 Azure CLI ( az login
)。
azure-cli:
image: mcr.microsoft.com/azure-cli
variables:
AZURE_CLIENT_ID: "YOUR Application Client ID"
AZURE_TENANT_ID: "YOUR TENANT ID"
script:
- az login --tenant $AZURE_TENANT_ID --service-principal -u $AZURE_CLIENT_ID --federated-token $CI_JOB_JWT_V2
# now you are logged into Azure and can take other actions using the CLI
# - az resource list # example
CI_JOB_JWT_V2
: Predefined variable CI_JOB_JWT_V2
:预定义变量AZURE_CLIENT_ID
: The Application (Client) ID of the registered application. AZURE_CLIENT_ID
:已注册应用程序的应用程序(客户端)ID。AZURE_TENANT_ID
: The ID of the Azure Tenant to login to (can be found in the application overview) AZURE_TENANT_ID
:要登录的 Azure 租户的 ID(可以在应用程序概述中找到)Also, don't forget to grant your registered app appropriate permissions for Azure container registry另外,不要忘记为您注册的应用授予 Azure 容器注册表的适当权限
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.