SAS token removal from team/user store (#8246)

JimSuplizio · web-flow · commit ffbb204a5fd8 · 2024-05-10T12:22:26.000-07:00
* SAS token removal from team/user store

* Indent workingDirectory to be inline with the other inputs

* trying AzureCliCredential instead of DefaultAzureCredential

* Use ChainedTokenCredential to exclude ManagedIdentityCredential in pipelines

* Revert the repo/label only gen that was used for testing purposes
diff --git a/eng/pipelines/pipeline-owners-extraction.yml b/eng/pipelines/pipeline-owners-extraction.yml
@@ -21,12 +21,24 @@ stages:
       Project: internal
       DotNetDevOpsFeed: "https://pkgs.dev.azure.com/azure-sdk/public/_packaging/azure-sdk-for-net/nuget/v3/index.json"
       OutputPath: '$(Agent.BuildDirectory)/pipelineOwners.json'
-      RepoLabelUri: "https://azuresdkartifacts.blob.core.windows.net/azure-sdk-write-teams/repository-labels-blob?$(azuresdkartifacts-azure-sdk-write-teams-sas)"
-      TeamUserUri: "https://azuresdkartifacts.blob.core.windows.net/azure-sdk-write-teams/azure-sdk-write-teams-blob?$(azuresdkartifacts-azure-sdk-write-teams-sas)"
-      UserOrgUri: "https://azuresdkartifacts.blob.core.windows.net/azure-sdk-write-teams/user-org-visibility-blob?$(azuresdkartifacts-azure-sdk-write-teams-sas)"
+      RepoLabelUri: "https://azuresdkartifacts.blob.core.windows.net/azure-sdk-write-teams/repository-labels-blob"
+      TeamUserUri: "https://azuresdkartifacts.blob.core.windows.net/azure-sdk-write-teams/azure-sdk-write-teams-blob"
+      UserOrgUri: "https://azuresdkartifacts.blob.core.windows.net/azure-sdk-write-teams/user-org-visibility-blob"
       RepoListFile: "$(Build.SourcesDirectory)/tools/github/data/repositories.txt"
 
     steps:
+      - task: AzureCLI@2
+        displayName: 'Fetch and store team/user data'
+        inputs:
+          azureSubscription: 'Azure SDK Artifacts'
+          scriptType: pscore
+          scriptLocation: inlineScript
+          inlineScript: |
+            dotnet run -rUri "$(RepoLabelUri)" -tUri "$(TeamUserUri)" -uUri "$(UserOrgUri)" -rlFile "$(RepoListFile)"
+          workingDirectory: tools/github-team-user-store/GitHubTeamUserStore/GitHubTeamUserStore
+        env:
+          GITHUB_TOKEN: $(azuresdkartifacts-azure-sdk-write-teams-github-pat)
+
       - task: DotNetCoreCLI@2
         displayName: 'Install Pipeline Owners Extractor'
         inputs:
@@ -46,9 +58,3 @@ stages:
         artifact: pipelineOwners
         condition: succeededOrFailed()
 
-      - pwsh: |
-          dotnet run -rUri "$(RepoLabelUri)" -tUri "$(TeamUserUri)" -uUri "$(UserOrgUri)" -rlFile "$(RepoListFile)"
-        displayName: 'Fetch and store team/user data'
-        workingDirectory: tools/github-team-user-store/GitHubTeamUserStore/GitHubTeamUserStore
-        env:
-          GITHUB_TOKEN: $(azuresdkartifacts-azure-sdk-write-teams-github-pat)
diff --git a/tools/github-team-user-store/GitHubTeamUserStore/GitHubTeamUserStore/GitHubEventClient.cs b/tools/github-team-user-store/GitHubTeamUserStore/GitHubTeamUserStore/GitHubEventClient.cs
@@ -4,6 +4,7 @@
 using System.Text;
 using System.Threading.Tasks;
 using Azure.Storage.Blobs;
+using Azure.Identity;
 using Octokit;
 using GitHubTeamUserStore.Constants;
 
@@ -158,14 +159,40 @@ public async Task<IReadOnlyList<Team>> GetAllChildTeams(Team team)
         /// <summary>
         /// Upload the data to blob storage. Uses the BlobUriBuilder to get the blob information to created the
         /// Blob clients and upload the data.
+        /// Credentials:
+        /// Instead of using DefaultAzureCredential [1] we use ChainedTokenCredential [2] which works
+        /// as DefaultAzureCredential, but most importantly, it excludes ManagedIdentityCredential.
+        /// We do so because there is an undesired managed identity available when we run this
+        /// code in CI/CD pipelines, which takes priority over the desired AzureCliCredential coming
+        /// from the calling AzureCLI@2 task.
+        /// 
+        /// Running Locally:
+        /// Your user needs to have Storage Blob Data Contributor access. This is done through
+        /// https://ms.portal.azure.com/, selecting the azuresdkartifacts storage account, selecting Access Control (IAM)
+        /// and adding Storage Blob Data Contributor then following the buttons at the bottom to assign this to your user.
+        /// In Visual Studio select Tools-Options and then search for Azure and select Azure Service Authentication and
+        /// authenticate. Once that's done the DefaultAzureCredential will use those creds.
+        /// 
+        /// Running in a pipeline:
+        /// Requires using the AzureCLI or AzurePowerShell task and azure subscription, which was already setup, 
+        /// is 'Azure SDK Artifacts' in both cases the exact line is as follows
+        /// azureSubscription: 'Azure SDK Artifacts'
+        /// The DefaultAzureCredential will use the creds setup in the task
         /// </summary>
         /// <param name="rawJson">The json string, representing the information that will be uploaded to blob storage.</param>
         /// <param name="blobUriBuilder">BlobUriBuilder which contains the blob storage information.</param>
         /// <returns></returns>
-        /// <exception cref="ApplicationException">If there is no AZURE_SDK_TEAM_USER_STORE_SAS in the environment</exception>
         public async Task UploadDataToBlobStorage(string rawJson, BlobUriBuilder blobUriBuilder)
         {
-            BlobServiceClient blobServiceClient = new BlobServiceClient(blobUriBuilder.ToUri());
+            var cred = new ChainedTokenCredential(
+                                new EnvironmentCredential(),
+                                new VisualStudioCredential(),
+                                new AzureCliCredential(),
+                                new AzurePowerShellCredential(),
+                                new InteractiveBrowserCredential()
+                            );
+            BlobServiceClient blobServiceClient = new BlobServiceClient(blobUriBuilder.ToUri(), cred);
+
             BlobContainerClient blobContainerClient = blobServiceClient.GetBlobContainerClient(blobUriBuilder.BlobContainerName);
             BlobClient blobClient = blobContainerClient.GetBlobClient(blobUriBuilder.BlobName);
             await blobClient.UploadAsync(BinaryData.FromString(rawJson), overwrite: true);
diff --git a/tools/github-team-user-store/GitHubTeamUserStore/GitHubTeamUserStore/GitHubTeamUserStore.csproj b/tools/github-team-user-store/GitHubTeamUserStore/GitHubTeamUserStore/GitHubTeamUserStore.csproj
@@ -8,7 +8,8 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Storage.Blobs" Version="12.16.0" />
+    <PackageReference Include="Azure.Identity" Version="1.11.3" />
+    <PackageReference Include="Azure.Storage.Blobs" Version="12.19.1" />
     <PackageReference Include="Octokit" Version="5.0.2" />
     <PackageReference Include="System.CommandLine" Version="2.0.0-beta4.22272.1" />
   </ItemGroup>
