Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54935

Adding a new configuration to the azure-vm-agents-plugin to add VM to AAD security group

      Adding a new configuration to the azure-vm-agents-plugin that can be modified when a VM is deployed. 

      The new configuration should provide us the ability to add a VM to an Azure Active Directory security group.

      This is necessary because a cloud security group in Azure Active Directory is required to provide a single alias for KV access policies.

          [JENKINS-54935] Adding a new configuration to the azure-vm-agents-plugin to add VM to AAD security group

          Jie Shen added a comment -

          Hi tomganor, it seems that this is not an option which could be set during the VM creation. Could you please provide any detailed document about how to set it manually so that I can find out how to enable this for this plugin.

          Jie Shen added a comment - Hi tomganor , it seems that this is not an option which could be set during the VM creation. Could you please provide any detailed document about how to set it manually so that I can find out how to enable this for this plugin.

          Tom Ganor added a comment - - edited

          Hi jieshe, to the best of my knowledge, there are two ways to do this manually:
          1. In the Azure portal you go to Azure Active Directory -> choose an existing security group -> members -> Add members
          (An example is attached)
          2. In Jenkins, in the "VM First Startup Configuration" -> "Initialization Script", it is possible to add a VM to a specific security group in AAD using
          the following: Add-AzureADGroupMember -ObjectId $group_id -RefObjectId $vm.Identity.PrincipalId
          where $group_id specifies the ID of a group in Azure Active Directory, and $vm.Identity.PrincipalId specifies
          the ID of the Active Directory object that will be assigned as owner/manager/member (VM in our case).

           

          Tom Ganor added a comment - - edited Hi jieshe , to the best of my knowledge, there are two ways to do this manually: 1. In the Azure portal you go to Azure Active Directory -> choose an existing security group -> members -> Add members (An example is attached) 2. In Jenkins, in the "VM First Startup Configuration" -> "Initialization Script", it is possible to add a VM to a specific security group in AAD using the following: Add-AzureADGroupMember -ObjectId $group_id -RefObjectId $vm.Identity.PrincipalId where $group_id specifies the ID of a group in Azure Active Directory, and $vm.Identity.PrincipalId specifies the ID of the Active Directory object that will be assigned as owner/manager/member (VM in our case).  

          Jie Shen added a comment -

          Hi tomganor, in your case, I think using the Initialization Script should be more reasonable since this plugin focuses on creating a VM and using the VM as a Jenkins agent. Adding the created VM to a security group is out of this scope. I think it is a AAD management operation.

          Jie Shen added a comment - Hi tomganor , in your case, I think using the Initialization Script should be more reasonable since this plugin focuses on creating a VM and using the VM as a Jenkins agent. Adding the created VM to a security group is out of this scope. I think it is a AAD management operation.

          Tom Ganor added a comment -

          Hi jieshe, thanks for the input. I found an alternative way to solve this problem using User Assigned Managed Identities.

          Therefore, the new configuration that is needed is adding a user assigned identity to a VM (which is possible through the azure portal).

          Should I open a new ticket for this?

          Tom Ganor added a comment - Hi jieshe , thanks for the input. I found an alternative way to solve this problem using User Assigned Managed Identities. Therefore, the new configuration that is needed is adding a user assigned identity to a VM (which is possible through the azure portal). Should I open a new ticket for this?

          Jie Shen added a comment -

          tomganor Adding User Assigned Managed Identities support for this plugin makes sense. So please close this issue and open a new one for that, thanks.

          Jie Shen added a comment - tomganor Adding User Assigned Managed Identities support for this plugin makes sense. So please close this issue and open a new one for that, thanks.

          Tom Ganor added a comment -

          This issue will be replaced with a new one.

          Tom Ganor added a comment - This issue will be replaced with a new one.

            jieshe Jie Shen
            tomganor Tom Ganor
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: