From 9ed4d1d62014026462fb198ec1b0624f4147efc3 Mon Sep 17 00:00:00 2001 From: Hector Flores <100806365+htekdev@users.noreply.github.com> Date: Fri, 19 May 2023 08:07:49 -0500 Subject: [PATCH 01/10] Update Constants.ts --- src/PowerShell/Constants.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/PowerShell/Constants.ts b/src/PowerShell/Constants.ts index 543226df4..8865be247 100644 --- a/src/PowerShell/Constants.ts +++ b/src/PowerShell/Constants.ts @@ -4,7 +4,9 @@ export default class Constants { static readonly versionPattern = /[0-9]+\.[0-9]+\.[0-9]+/; static readonly AzureCloud: string = "AzureCloud"; - static readonly Subscription: string = "Subscription"; + static readonly Tenant: string = "Tenant"; + static readonly ManagementGroup: string = "ManagementGroup"; + static readonly Subscription: string = "Subscription";"; static readonly ServicePrincipal: string = "ServicePrincipal"; static readonly Success: string = "Success"; From dc65d1c35ec3c72873fd09fbb1e6412eff49d11a Mon Sep 17 00:00:00 2001 From: Hector Flores <100806365+htekdev@users.noreply.github.com> Date: Fri, 19 May 2023 08:09:19 -0500 Subject: [PATCH 02/10] Update main.ts --- src/main.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/main.ts b/src/main.ts index 13ebea0cb..456f72a0e 100644 --- a/src/main.ts +++ b/src/main.ts @@ -63,7 +63,8 @@ async function main() { let secrets = creds ? new SecretParser(creds, FormatType.JSON) : null; let environment = core.getInput("environment").toLowerCase(); const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true"; - const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true"; + const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";"; + const scopeLevel = core.getInput('scopeLevel').toLowerCase(); //Check for the credentials in individual parameters in the workflow. var servicePrincipalId = core.getInput('client-id', { required: false }); @@ -200,7 +201,8 @@ async function main() { subscriptionId, allowNoSubscriptionsLogin, environment, - resourceManagerEndpointUrl); + resourceManagerEndpointUrl, + scopeLevel); await spnlogin.initialize(); await spnlogin.login(); } From 3196fe206392201d29410e4cb1ccc2c5a0e42e8c Mon Sep 17 00:00:00 2001 From: Hector Flores <100806365+htekdev@users.noreply.github.com> Date: Fri, 19 May 2023 08:10:28 -0500 Subject: [PATCH 03/10] Update ServicePrincipalLogin.ts --- src/PowerShell/ServicePrincipalLogin.ts | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/PowerShell/ServicePrincipalLogin.ts b/src/PowerShell/ServicePrincipalLogin.ts index c089d994f..2e68f073f 100644 --- a/src/PowerShell/ServicePrincipalLogin.ts +++ b/src/PowerShell/ServicePrincipalLogin.ts @@ -16,6 +16,7 @@ export class ServicePrincipalLogin implements IAzurePowerShellSession { resourceManagerEndpointUrl: string; allowNoSubscriptionsLogin: boolean; federatedToken: string; + scopeLevel: string; constructor(servicePrincipalId: string, servicePrincipalKey: string, @@ -24,7 +25,8 @@ export class ServicePrincipalLogin implements IAzurePowerShellSession { subscriptionId: string, allowNoSubscriptionsLogin: boolean, environment: string, - resourceManagerEndpointUrl: string) { + resourceManagerEndpointUrl: string, + scopeLevel: string) { this.servicePrincipalId = servicePrincipalId; this.servicePrincipalKey = servicePrincipalKey; @@ -34,6 +36,7 @@ export class ServicePrincipalLogin implements IAzurePowerShellSession { this.environment = environment; this.resourceManagerEndpointUrl = resourceManagerEndpointUrl; this.allowNoSubscriptionsLogin = allowNoSubscriptionsLogin; + this.scopeLevel = } async initialize() { @@ -67,7 +70,7 @@ export class ServicePrincipalLogin implements IAzurePowerShellSession { federatedToken: this.federatedToken, subscriptionId: this.subscriptionId, environment: this.environment, - scopeLevel: ServicePrincipalLogin.scopeLevel, + scopeLevel: this.scopeLevel, allowNoSubscriptionsLogin: this.allowNoSubscriptionsLogin, resourceManagerEndpointUrl: this.resourceManagerEndpointUrl } @@ -81,4 +84,4 @@ export class ServicePrincipalLogin implements IAzurePowerShellSession { console.log(`Azure PowerShell session successfully initialized`); } -} \ No newline at end of file +} From 31535a4a881ad1879da1329b96d5a1e13352dcc6 Mon Sep 17 00:00:00 2001 From: Hector Flores <100806365+htekdev@users.noreply.github.com> Date: Fri, 19 May 2023 08:10:54 -0500 Subject: [PATCH 04/10] Update ScriptBuilder.ts --- src/PowerShell/Utilities/ScriptBuilder.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/PowerShell/Utilities/ScriptBuilder.ts b/src/PowerShell/Utilities/ScriptBuilder.ts index 9b1a0e7df..b55b1ca57 100644 --- a/src/PowerShell/Utilities/ScriptBuilder.ts +++ b/src/PowerShell/Utilities/ScriptBuilder.ts @@ -25,7 +25,7 @@ export default class ScriptBuilder { -Environment '${args.environment}' | out-null;`; } // command to set the subscription - if (args.scopeLevel === Constants.Subscription && !args.allowNoSubscriptionsLogin) { + if (args.scopeLevel.toLowerCase() === Constants.Subscription.toLowerCase() && !args.allowNoSubscriptionsLogin) { command += `Set-AzContext -SubscriptionId '${args.subscriptionId}' -TenantId '${tenantId}' | out-null;`; } } @@ -64,4 +64,4 @@ export default class ScriptBuilder { return this.script; } -} \ No newline at end of file +} From dfa701cd0fb973a8470f468c3f7c41a7bf13e5b1 Mon Sep 17 00:00:00 2001 From: Hector Flores <100806365+htekdev@users.noreply.github.com> Date: Fri, 19 May 2023 08:12:25 -0500 Subject: [PATCH 05/10] Update action.yml --- action.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/action.yml b/action.yml index c08d94d71..3d339e658 100644 --- a/action.yml +++ b/action.yml @@ -30,6 +30,10 @@ inputs: description: 'Provide audience field for access-token. Default value is api://AzureADTokenExchange' required: false default: 'api://AzureADTokenExchange' + scopeLevel: + description: 'Scope Level. Supported values are subscription, tenant, or managementgroup. Default is subscription' + required: false + default: 'subscription' branding: icon: 'login.svg' color: 'blue' From 1747e1f04db243e84f91b904738c1b24575a916c Mon Sep 17 00:00:00 2001 From: Hector Flores <100806365+htekdev@users.noreply.github.com> Date: Fri, 19 May 2023 08:13:57 -0500 Subject: [PATCH 06/10] Update main.ts --- src/main.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main.ts b/src/main.ts index 456f72a0e..052362fac 100644 --- a/src/main.ts +++ b/src/main.ts @@ -79,7 +79,7 @@ async function main() { if (servicePrincipalId || tenantId || subscriptionId) { //If few of the individual credentials (clent_id, tenat_id, subscription_id) are missing in action inputs. - if (!(servicePrincipalId && tenantId && (subscriptionId || allowNoSubscriptionsLogin))) + if (!(servicePrincipalId && tenantId && ((subscriptionId || allowNoSubscriptionsLogin) && scopeLevel == "subscription"))) throw new Error("Few credentials are missing. ClientId, tenantId are mandatory. SubscriptionId is also mandatory if allow-no-subscriptions is not set."); } else { From 9c70944155b32f5a1a39bd8da3162ba3457e170b Mon Sep 17 00:00:00 2001 From: Hector Flores <100806365+htekdev@users.noreply.github.com> Date: Fri, 19 May 2023 08:16:27 -0500 Subject: [PATCH 07/10] Update README.md --- README.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/README.md b/README.md index 3d6fc6840..ad0279b56 100644 --- a/README.md +++ b/README.md @@ -107,6 +107,8 @@ jobs: pwd ``` + + Users can also specify `audience` field for access-token in the input parameters of the action. If not specified, it is defaulted to `api://AzureADTokenExchange`. This action supports login az powershell as well for both Windows and Linux runners by setting an input parameter `enable-AzPSSession: true`. Below is the sample workflow for the same using the Windows runner. Please note that powershell login is not supported in macOS runners. ## Sample workflow that uses Azure login action using OIDC to run az PowerShell (Windows) @@ -269,6 +271,28 @@ jobs: allow-no-subscriptions: true ``` +## Support for using `scope-level` + +Capability has been added to support access to the different scope levels (`subscription`, `managementgroup`, or `tenant`) for both OIDC and non-OIDC. This can be useful if you need to target a particular management group and actually if scope level is `tenant` its the same as having `allow-no-subscription` enabled + +```yaml +# File: .github/workflows/workflow.yml + +on: [push] + +name: AzureLoginWithNoSubscriptions + +jobs: + + build-and-deploy: + runs-on: ubuntu-latest + steps: + + - uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + scope-level: 'managementgroup' +``` ## Az logout and security hardening This action doesn't implement ```az logout``` by default at the end of execution. However there is no way of tampering the credentials or account information because the github hosted runner is on a VM that will get reimaged for every customer run which gets everything deleted. But if the runner is self-hosted which is not github provided it is recommended to manually logout at the end of the workflow as shown below. More details on security of the runners can be found [here](https://docs.github.com/actions/learn-github-actions/security-hardening-for-github-actions#hardening-for-self-hosted-runners). From 9d98cd3b253985ab458098d9298228eebd3de7d2 Mon Sep 17 00:00:00 2001 From: Hector Flores <100806365+htekdev@users.noreply.github.com> Date: Fri, 19 May 2023 08:16:47 -0500 Subject: [PATCH 08/10] Update action.yml --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 3d339e658..ba1438e9b 100644 --- a/action.yml +++ b/action.yml @@ -30,7 +30,7 @@ inputs: description: 'Provide audience field for access-token. Default value is api://AzureADTokenExchange' required: false default: 'api://AzureADTokenExchange' - scopeLevel: + scope-level: description: 'Scope Level. Supported values are subscription, tenant, or managementgroup. Default is subscription' required: false default: 'subscription' From 4a3c4184ad63b344bc530b90029a2aab0dcfc0d3 Mon Sep 17 00:00:00 2001 From: Hector Flores <100806365+htekdev@users.noreply.github.com> Date: Fri, 19 May 2023 08:17:32 -0500 Subject: [PATCH 09/10] Update main.ts --- src/main.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main.ts b/src/main.ts index 052362fac..c2e737cb3 100644 --- a/src/main.ts +++ b/src/main.ts @@ -63,8 +63,8 @@ async function main() { let secrets = creds ? new SecretParser(creds, FormatType.JSON) : null; let environment = core.getInput("environment").toLowerCase(); const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true"; - const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";"; - const scopeLevel = core.getInput('scopeLevel').toLowerCase(); + const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true"; + const scopeLevel = core.getInput('scope-level').toLowerCase(); //Check for the credentials in individual parameters in the workflow. var servicePrincipalId = core.getInput('client-id', { required: false }); From 4260f21590a0c6997bbd162626e9c8aa12cf8ada Mon Sep 17 00:00:00 2001 From: Hector Flores Date: Fri, 19 May 2023 08:22:00 -0500 Subject: [PATCH 10/10] Pushing fixes --- lib/PowerShell/Constants.js | 2 ++ lib/PowerShell/ServicePrincipalLogin.js | 13 +++++++++---- .../Utilities/PowerShellToolRunner.js | 8 ++++++-- lib/PowerShell/Utilities/ScriptBuilder.js | 10 +++++++--- lib/PowerShell/Utilities/Utils.js | 8 ++++++-- lib/main.js | 17 +++++++++++------ src/PowerShell/Constants.ts | 2 +- src/PowerShell/ServicePrincipalLogin.ts | 2 +- 8 files changed, 43 insertions(+), 19 deletions(-) diff --git a/lib/PowerShell/Constants.js b/lib/PowerShell/Constants.js index 51d0a3a07..567a7002d 100644 --- a/lib/PowerShell/Constants.js +++ b/lib/PowerShell/Constants.js @@ -7,6 +7,8 @@ Constants.prefix = "az_"; Constants.moduleName = "Az.Accounts"; Constants.versionPattern = /[0-9]+\.[0-9]+\.[0-9]+/; Constants.AzureCloud = "AzureCloud"; +Constants.Tenant = "Tenant"; +Constants.ManagementGroup = "ManagementGroup"; Constants.Subscription = "Subscription"; Constants.ServicePrincipal = "ServicePrincipal"; Constants.Success = "Success"; diff --git a/lib/PowerShell/ServicePrincipalLogin.js b/lib/PowerShell/ServicePrincipalLogin.js index 716f07f52..b70074bfb 100644 --- a/lib/PowerShell/ServicePrincipalLogin.js +++ b/lib/PowerShell/ServicePrincipalLogin.js @@ -1,7 +1,11 @@ "use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; @@ -14,7 +18,7 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? ( var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); __setModuleDefault(result, mod); return result; }; @@ -38,7 +42,7 @@ const PowerShellToolRunner_1 = __importDefault(require("./Utilities/PowerShellTo const ScriptBuilder_1 = __importDefault(require("./Utilities/ScriptBuilder")); const Constants_1 = __importDefault(require("./Constants")); class ServicePrincipalLogin { - constructor(servicePrincipalId, servicePrincipalKey, federatedToken, tenantId, subscriptionId, allowNoSubscriptionsLogin, environment, resourceManagerEndpointUrl) { + constructor(servicePrincipalId, servicePrincipalKey, federatedToken, tenantId, subscriptionId, allowNoSubscriptionsLogin, environment, resourceManagerEndpointUrl, scopeLevel) { this.servicePrincipalId = servicePrincipalId; this.servicePrincipalKey = servicePrincipalKey; this.federatedToken = federatedToken; @@ -47,6 +51,7 @@ class ServicePrincipalLogin { this.environment = environment; this.resourceManagerEndpointUrl = resourceManagerEndpointUrl; this.allowNoSubscriptionsLogin = allowNoSubscriptionsLogin; + this.scopeLevel = scopeLevel; } initialize() { return __awaiter(this, void 0, void 0, function* () { @@ -80,7 +85,7 @@ class ServicePrincipalLogin { federatedToken: this.federatedToken, subscriptionId: this.subscriptionId, environment: this.environment, - scopeLevel: ServicePrincipalLogin.scopeLevel, + scopeLevel: this.scopeLevel, allowNoSubscriptionsLogin: this.allowNoSubscriptionsLogin, resourceManagerEndpointUrl: this.resourceManagerEndpointUrl }; diff --git a/lib/PowerShell/Utilities/PowerShellToolRunner.js b/lib/PowerShell/Utilities/PowerShellToolRunner.js index 0ac63086d..367f18fa6 100644 --- a/lib/PowerShell/Utilities/PowerShellToolRunner.js +++ b/lib/PowerShell/Utilities/PowerShellToolRunner.js @@ -1,7 +1,11 @@ "use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; @@ -14,7 +18,7 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? ( var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); __setModuleDefault(result, mod); return result; }; diff --git a/lib/PowerShell/Utilities/ScriptBuilder.js b/lib/PowerShell/Utilities/ScriptBuilder.js index 74aa6ae64..2b36fcf7c 100644 --- a/lib/PowerShell/Utilities/ScriptBuilder.js +++ b/lib/PowerShell/Utilities/ScriptBuilder.js @@ -1,7 +1,11 @@ "use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; @@ -14,7 +18,7 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? ( var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); __setModuleDefault(result, mod); return result; }; @@ -46,7 +50,7 @@ class ScriptBuilder { -Environment '${args.environment}' | out-null;`; } // command to set the subscription - if (args.scopeLevel === Constants_1.default.Subscription && !args.allowNoSubscriptionsLogin) { + if (args.scopeLevel.toLowerCase() === Constants_1.default.Subscription.toLowerCase() && !args.allowNoSubscriptionsLogin) { command += `Set-AzContext -SubscriptionId '${args.subscriptionId}' -TenantId '${tenantId}' | out-null;`; } } diff --git a/lib/PowerShell/Utilities/Utils.js b/lib/PowerShell/Utilities/Utils.js index d890766e5..2b0bf2757 100644 --- a/lib/PowerShell/Utilities/Utils.js +++ b/lib/PowerShell/Utilities/Utils.js @@ -1,7 +1,11 @@ "use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; @@ -14,7 +18,7 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? ( var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); __setModuleDefault(result, mod); return result; }; diff --git a/lib/main.js b/lib/main.js index 90d9206a4..b3e13b52c 100644 --- a/lib/main.js +++ b/lib/main.js @@ -1,7 +1,11 @@ "use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; @@ -14,7 +18,7 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? ( var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); __setModuleDefault(result, mod); return result; }; @@ -90,6 +94,7 @@ function main() { let environment = core.getInput("environment").toLowerCase(); const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true"; const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true"; + const scopeLevel = core.getInput('scope-level').toLowerCase(); //Check for the credentials in individual parameters in the workflow. var servicePrincipalId = core.getInput('client-id', { required: false }); var servicePrincipalKey = null; @@ -101,7 +106,7 @@ function main() { // If any of the individual credentials (clent_id, tenat_id, subscription_id) is present. if (servicePrincipalId || tenantId || subscriptionId) { //If few of the individual credentials (clent_id, tenat_id, subscription_id) are missing in action inputs. - if (!(servicePrincipalId && tenantId && (subscriptionId || allowNoSubscriptionsLogin))) + if (!(servicePrincipalId && tenantId && ((subscriptionId || allowNoSubscriptionsLogin) && scopeLevel == "subscription"))) throw new Error("Few credentials are missing. ClientId, tenantId are mandatory. SubscriptionId is also mandatory if allow-no-subscriptions is not set."); } else { @@ -191,7 +196,7 @@ function main() { } else { console.log("Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details."); - commonArgs = commonArgs.concat("-p", servicePrincipalKey); + commonArgs = commonArgs.concat(`--password=${servicePrincipalKey}`); } yield executeAzCliCommand(`login`, true, loginOptions, commonArgs); if (!allowNoSubscriptionsLogin) { @@ -206,7 +211,7 @@ function main() { // Attempting Az PS login console.log(`Running Azure PS Login`); var spnlogin; - spnlogin = new ServicePrincipalLogin_1.ServicePrincipalLogin(servicePrincipalId, servicePrincipalKey, federatedToken, tenantId, subscriptionId, allowNoSubscriptionsLogin, environment, resourceManagerEndpointUrl); + spnlogin = new ServicePrincipalLogin_1.ServicePrincipalLogin(servicePrincipalId, servicePrincipalKey, federatedToken, tenantId, subscriptionId, allowNoSubscriptionsLogin, environment, resourceManagerEndpointUrl, scopeLevel); yield spnlogin.initialize(); yield spnlogin.login(); } @@ -214,7 +219,7 @@ function main() { } catch (error) { if (!isAzCLISuccess) { - core.setFailed(`Az CLI Login failed with ${error}. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows`); + core.setFailed(`Az CLI Login failed with ${error}. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`); } else { core.setFailed(`Azure PowerShell Login failed with ${error}. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`); diff --git a/src/PowerShell/Constants.ts b/src/PowerShell/Constants.ts index 8865be247..72aed16e8 100644 --- a/src/PowerShell/Constants.ts +++ b/src/PowerShell/Constants.ts @@ -6,7 +6,7 @@ export default class Constants { static readonly AzureCloud: string = "AzureCloud"; static readonly Tenant: string = "Tenant"; static readonly ManagementGroup: string = "ManagementGroup"; - static readonly Subscription: string = "Subscription";"; + static readonly Subscription: string = "Subscription"; static readonly ServicePrincipal: string = "ServicePrincipal"; static readonly Success: string = "Success"; diff --git a/src/PowerShell/ServicePrincipalLogin.ts b/src/PowerShell/ServicePrincipalLogin.ts index 2e68f073f..53048524b 100644 --- a/src/PowerShell/ServicePrincipalLogin.ts +++ b/src/PowerShell/ServicePrincipalLogin.ts @@ -36,7 +36,7 @@ export class ServicePrincipalLogin implements IAzurePowerShellSession { this.environment = environment; this.resourceManagerEndpointUrl = resourceManagerEndpointUrl; this.allowNoSubscriptionsLogin = allowNoSubscriptionsLogin; - this.scopeLevel = + this.scopeLevel = scopeLevel; } async initialize() {