Comments (3)
Agreed it'd be nice if the docker-login action supported OIDC somehow out of the box.
In the meantime, I just used the az CLI to leverage my OIDC setup:
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID_GITHUB_AUTH }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Login to ACR via OIDC
run: az acr login --name <registry-name>
from docker-login.
Any progress on this? OIDC is the security best practice to authenticate against Azure and it's still not supported.
It would already be enough if this action would support token based authentication (https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#az-acr-login-with---expose-token) against the ACR, as the Azure CLI action already supports OIDC:
- name: Get ACR credentials
id: get-acr-credentials
uses: azure/CLI@v1
with:
azcliversion: latest
inlineScript: |
echo "ACR_ACCESS_TOKEN=$(az acr login --name <ACRNAME> --expose-token --output tsv --query accessToken)" >> "$GITHUB_OUTPUT"
echo "ACR_LOGIN_SERVER=$(az acr login --name <ACRNAME> --expose-token --output tsv --query loginServer)" >> "$GITHUB_OUTPUT"
- name: Login to ACR
uses: docker/login-action@v3
with:
registry: ${{ steps.get-acr-credentials.outputs.ACR_LOGIN_SERVER }}
username: 00000000-0000-0000-0000-000000000000
password: ${{ steps.get-acr-credentials.outputs.ACR_ACCESS_TOKEN }}
The current workaround without using the login-action
is this:
- name: Log in to Azure
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Login to Azure Container Registry
run: az acr login --name $ACR_NAME
env:
ACR_NAME: ${{ vars.ACR_NAME }}
from docker-login.
I agree with @itpropro. It seems a bit injudicous to enhance security with an OIDC mechanism but then lack a way to leverage those credentials for ACR, right?
In other words, az acr login --name <name>
will create the necessary docker credentials, but those credentials will never be destroyed unless you do it manually at the end of your job. docker/login-action
does the right thing by adding a post job hook to call docker logout
, so why can't the azure/login
be extended to perform some steps similar to the ones listed in #56 (comment)?
from docker-login.
Related Issues (20)
- Use same secret AZURE_CREDENTIALS as Azure/login and Azure/aks-set-context HOT 2
- docker: command not found HOT 1
- How to deal with registries that can't be opened to public internet HOT 1
- AZURE_WEBAPP_PUBLISH_PROFILE
- Remove the admin account requirement for Docker login action
- GITHUB_TOKEN permissions used by this action HOT 1
- --build-arg vanishing during build? HOT 1
- Compose build and push to container registry causes crashing of Azure container apps HOT 1
- Node 12 is deprecated, move to node 16 HOT 4
- Invalid clientid or client secret HOT 2
- Can not use the new docker/login version v1.0.1 HOT 19
- Upgrade deprecated node.js from 12 to 16 broke docker-login/v1 HOT 5
- 到底什么是嵌入式?什么是单片机?究竟有何区别?
- Login to ACR apparently successful but subsequent dotnet publish fails HOT 2
- Allow login using service credentials dirctly HOT 1
- Multiple login with GCR and ACR HOT 2
- Reporting a vulnerability HOT 1
- Node 16 is deprecated, move to node 20 HOT 3
- Failure to restart docker compose instance / check image and resgistry credintial, inaccessible image HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-login.