Use Azure federated auth to generate storage tokens

2024-05-06 16:23:56 -07:00 · 2024-05-06 16:23:56 -07:00 · 84b7ee8977
--- a/eng/pipelines/templates/steps/vcpkg.yml
+++ b/eng/pipelines/templates/steps/vcpkg.yml
@ -1,13 +1,15 @@
 steps:
  - pwsh: |
      Write-Host "##vso[task.setvariable variable=VCPKG_BINARY_SOURCES_SECRET;issecret=true;]clear;x-azblob,https://cppvcpkgcache.blob.core.windows.net/public-vcpkg-container,,read"
+      Write-Host "##vso[task.setvariable variable=X_VCPKG_ASSET_SOURCES_SECRET;issecret=true;]clear;x-azurl,https://cppvcpkgcache.blob.core.windows.net/public-vcpkg-asset-container/,,read"
    displayName: Set Vcpkg Variables

-  - task: PowerShell@2
-    inputs:
-      pwsh: true
-      targetType: filePath
-      filePath: eng/scripts/Set-VcpkgWriteModeCache.ps1
-      arguments: -StorageAccountKey '$(cpp-vcpkg-cache-storage-key)'
+  - task: AzurePowerShell@5
    displayName: Set Vcpkg Write-mode Cache
    condition: and(succeeded(), eq(variables['System.TeamProject'], 'internal'))
+    inputs:
+      azureSubscription: 'cpp Resource Group'
+      ScriptType: FilePath
+      ScriptPath: eng/scripts/Set-VcpkgWriteModeCache.ps1
+      azurePowerShellVersion: LatestVersion
+      pwsh: true
--- a/eng/scripts/Set-VcpkgWriteModeCache.ps1
+++ b/eng/scripts/Set-VcpkgWriteModeCache.ps1
@ -1,5 +1,6 @@
 param(
-    [string] $StorageAccountKey
+    [string] $StorageAccountName = 'cppvcpkgcache',
+    [string] $ResourceGroupName = 'cpp'
 )


@ -26,16 +27,29 @@ $env:PSModulePath = $modulePaths -join $moduleSeperator

 Install-ModuleIfNotInstalled "Az.Storage" "4.3.0" | Import-Module

+$storageAccountKeys = Get-AzStorageAccountKey `
+    -ResourceGroupName $ResourceGroupName `
+    -Name $StorageAccountName
+
 $ctx = New-AzStorageContext `
-    -StorageAccountName 'cppvcpkgcache' `
-    -StorageAccountKey $StorageAccountKey
+    -StorageAccountKey $storageAccountKeys[0].Value`
+    -StorageAccountName $StorageAccountName
+
 $token = New-AzStorageAccountSASToken `
    -Service Blob `
    -ResourceType Object `
    -Permission "rwc" `
    -Context $ctx `
    -ExpiryTime (Get-Date).AddDays(1)
-$vcpkgBinarySourceSas = $token.Substring(1)
+
+$vcpkgBinarySourceSas = $token
+if ($token.StartsWith('?')) {
+    $vcpkgBinarySourceSas = $token.Substring(1)
+}
+
+Write-Host "Ensure redaction of SAS tokens in logs" 
+Write-Host "##vso[task.setvariable variable=VCPKG_BINARY_SAS_TOKEN;issecret=true;]$vcpkgBinarySourceSas"

 Write-Host "Setting vcpkg binary cache to read and write"
 Write-Host "##vso[task.setvariable variable=VCPKG_BINARY_SOURCES_SECRET;issecret=true;]clear;x-azblob,https://cppvcpkgcache.blob.core.windows.net/public-vcpkg-container,$vcpkgBinarySourceSas,readwrite"
+Write-Host "##vso[task.setvariable variable=X_VCPKG_ASSET_SOURCES_SECRET;issecret=true;]clear;x-azurl,https://cppvcpkgcache.blob.core.windows.net/public-vcpkg-asset-container/,?$vcpkgBinarySourceSas,readwrite"