Secure workflow strategy for Azure CLI output configuration#356
Merged
Conversation
MoChilia
requested review from
Jacekey23,
YanaXu,
dbradish-microsoft,
dcaro,
jiasli and
yonzhan
MoChilia
temporarily deployed
to
Automation test
GitHub Actions
Inactive
yonzhan
approved these changes
Oct 23, 2023
evelyn-ys
approved these changes
Oct 23, 2023
dcaro
approved these changes
Oct 23, 2023
dcaro
left a comment
dcaro
left a comment
Collaborator
There was a problem hiding this comment.
Minor suggestion but LGTM.
| - By default, Azure access tokens issued during OIDC based login could have limited validity. Azure access token issued by AD App (Service Principal) is expected to have an expiration of 1 hour by default. And with Managed Identities, it would be 24 hrs. This expiration time is further configurable in Azure. Refer to [access-token lifetime](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#access-token-lifetime) for more details. | ||
|
|
||
| > **Warning** | ||
| > Without redirecting Azure CLI commands’ output, it will be printed to stdout stream and the build log. To prevent this, you may disable Azure CLI commands’ output by setting the environment variable `AZURE_CORE_OUTPUT` to `none`. If you need the output of a specific command, you can add argument `--output json` to restore its output. For more information about the configuration settings and output format of Azure CLI, see [CLI configuration values and environment variables](https://learn.microsoft.com/en-us/cli/azure/azure-cli-configuration#cli-configuration-values-and-environment-variables). |
Collaborator
There was a problem hiding this comment.
Suggested change
| > Without redirecting Azure CLI commands’ output, it will be printed to stdout stream and the build log. To prevent this, you may disable Azure CLI commands’ output by setting the environment variable `AZURE_CORE_OUTPUT` to `none`. If you need the output of a specific command, you can add argument `--output json` to restore its output. For more information about the configuration settings and output format of Azure CLI, see [CLI configuration values and environment variables](https://learn.microsoft.com/en-us/cli/azure/azure-cli-configuration#cli-configuration-values-and-environment-variables). | |
| > By default, Azure CLI commands’ output will be printed to the stdout stream and will be stored in the build logs of the action. You may configure Azure CLI to not print any output by setting the environment variable `AZURE_CORE_OUTPUT` to `none`. If you need the output of a specific command, you can add argument `--output json` to restore its output. For more information about the configuration settings and output format of Azure CLI, see [CLI configuration values and environment variables](https://learn.microsoft.com/cli/azure/azure-cli-configuration#cli-configuration-values-and-environment-variables). |
MoChilia
had a problem deploying
to
Automation test
GitHub Actions
Failure
MoChilia
had a problem deploying
to
Automation test
GitHub Actions
Failure
MoChilia
had a problem deploying
to
Automation test
GitHub Actions
Failure
dbradish-microsoft
suggested changes
Oct 23, 2023
| - By default, Azure access tokens issued during OIDC based login could have limited validity. Azure access token issued by AD App (Service Principal) is expected to have an expiration of 1 hour by default. And with Managed Identities, it would be 24 hrs. This expiration time is further configurable in Azure. Refer to [access-token lifetime](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#access-token-lifetime) for more details. | ||
|
|
||
| > [!WARNING] | ||
| > By default, Azure CLI commands’ output is printed to the stdout stream. Without redirecting the stdout stream, contents in it will be stored in the build logs of the action. You may configure Azure CLI to not print any output by setting the environment variable `AZURE_CORE_OUTPUT` to `none`. If you need the output of a specific command, you can add argument `--output json` to restore its output. For more information about the configuration settings and output format of Azure CLI, see [CLI configuration values and environment variables](https://learn.microsoft.com/cli/azure/azure-cli-configuration#cli-configuration-values-and-environment-variables). |
There was a problem hiding this comment.
Suggested change
| > By default, Azure CLI commands’ output is printed to the stdout stream. Without redirecting the stdout stream, contents in it will be stored in the build logs of the action. You may configure Azure CLI to not print any output by setting the environment variable `AZURE_CORE_OUTPUT` to `none`. If you need the output of a specific command, you can add argument `--output json` to restore its output. For more information about the configuration settings and output format of Azure CLI, see [CLI configuration values and environment variables](https://learn.microsoft.com/cli/azure/azure-cli-configuration#cli-configuration-values-and-environment-variables). | |
| > By default, the output of Azure CLI commands print to the stdout stream and are stored in the build logs of the action. Configure Azure CLI to _not_ show output in the console screen or print in the log by setting the environment variable `AZURE_CORE_OUTPUT` to `none`. If you need the output of a specific command, override the default setting using the argument `--output` with your format of choice. For more information on output options with the Azure CLI, see [Format output](https://learn.microsoft.com/en-us/cli/azure/format-output-azure-cli). |
MoChilia
temporarily deployed
to
Automation test
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When creating workflows, especially in a public repository, it's crucial to ensure that your build logs don't expose any sensitive data. You should proactively safeguard sensitive information by storing it as secret, masking any sensitive value in logs and setting the repositories and CI instances to private if they don't need to be public.
Moreover, Azure CLI commands output to both stdout stream and the build log by default. Azure CLI suggests us to protect output information by setting the output to
none, see https://aka.ms/clisecrets. You may configure Azure CLI to not print any output by setting the environment variableAZURE_CORE_OUTPUTtononewhen you invoke Azure CLI commands in your workflow. For example,For detailed guidance on how to set environment variables in a workflow, refer to the GitHub doc: https://docs.github.com/en/actions/learn-github-actions/variables.
When you need the output of a specific command, you can add argument
--output jsonto restore its output. For example,For more information about the configuration settings and output format of Azure CLI, see CLI configuration values and environment variables.