Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54935

Adding a new configuration to the azure-vm-agents-plugin to add VM to AAD security group

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Adding a new configuration to the azure-vm-agents-plugin that can be modified when a VM is deployed. 

      The new configuration should provide us the ability to add a VM to an Azure Active Directory security group.

      This is necessary because a cloud security group in Azure Active Directory is required to provide a single alias for KV access policies.

        Attachments

          Activity

          tomganor Tom Ganor created issue -
          azure_devops Azure DevOps made changes -
          Field Original Value New Value
          Assignee Azure DevOps [ azure_devops ] Jie Shen [ jieshe ]
          azure_devops Azure DevOps made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Hide
          jieshe Jie Shen added a comment -

          Hi Tom Ganor, it seems that this is not an option which could be set during the VM creation. Could you please provide any detailed document about how to set it manually so that I can find out how to enable this for this plugin.

          Show
          jieshe Jie Shen added a comment - Hi Tom Ganor , it seems that this is not an option which could be set during the VM creation. Could you please provide any detailed document about how to set it manually so that I can find out how to enable this for this plugin.
          tomganor Tom Ganor made changes -
          Attachment image-2018-12-04-10-19-54-470.png [ 45351 ]
          tomganor Tom Ganor made changes -
          Attachment image-2018-12-04-10-19-54-470.png [ 45351 ]
          Hide
          tomganor Tom Ganor added a comment - - edited

          Hi Jie Shen, to the best of my knowledge, there are two ways to do this manually:
          1. In the Azure portal you go to Azure Active Directory -> choose an existing security group -> members -> Add members
          (An example is attached)
          2. In Jenkins, in the "VM First Startup Configuration" -> "Initialization Script", it is possible to add a VM to a specific security group in AAD using
          the following: Add-AzureADGroupMember -ObjectId $group_id -RefObjectId $vm.Identity.PrincipalId
          where $group_id specifies the ID of a group in Azure Active Directory, and $vm.Identity.PrincipalId specifies
          the ID of the Active Directory object that will be assigned as owner/manager/member (VM in our case).

           

          Show
          tomganor Tom Ganor added a comment - - edited Hi Jie Shen , to the best of my knowledge, there are two ways to do this manually: 1. In the Azure portal you go to Azure Active Directory -> choose an existing security group -> members -> Add members (An example is attached) 2. In Jenkins, in the "VM First Startup Configuration" -> "Initialization Script", it is possible to add a VM to a specific security group in AAD using the following: Add-AzureADGroupMember -ObjectId $group_id -RefObjectId $vm.Identity.PrincipalId where $group_id specifies the ID of a group in Azure Active Directory, and $vm.Identity.PrincipalId specifies the ID of the Active Directory object that will be assigned as owner/manager/member (VM in our case).  
          tomganor Tom Ganor made changes -
          Hide
          jieshe Jie Shen added a comment -

          Hi Tom Ganor, in your case, I think using the Initialization Script should be more reasonable since this plugin focuses on creating a VM and using the VM as a Jenkins agent. Adding the created VM to a security group is out of this scope. I think it is a AAD management operation.

          Show
          jieshe Jie Shen added a comment - Hi Tom Ganor , in your case, I think using the Initialization Script should be more reasonable since this plugin focuses on creating a VM and using the VM as a Jenkins agent. Adding the created VM to a security group is out of this scope. I think it is a AAD management operation.
          Hide
          tomganor Tom Ganor added a comment -

          Hi Jie Shen, thanks for the input. I found an alternative way to solve this problem using User Assigned Managed Identities.

          Therefore, the new configuration that is needed is adding a user assigned identity to a VM (which is possible through the azure portal).

          Should I open a new ticket for this?

          Show
          tomganor Tom Ganor added a comment - Hi Jie Shen , thanks for the input. I found an alternative way to solve this problem using User Assigned Managed Identities. Therefore, the new configuration that is needed is adding a user assigned identity to a VM (which is possible through the azure portal). Should I open a new ticket for this?
          Hide
          jieshe Jie Shen added a comment -

          Tom Ganor Adding User Assigned Managed Identities support for this plugin makes sense. So please close this issue and open a new one for that, thanks.

          Show
          jieshe Jie Shen added a comment - Tom Ganor Adding User Assigned Managed Identities support for this plugin makes sense. So please close this issue and open a new one for that, thanks.
          tomganor Tom Ganor made changes -
          Status In Progress [ 3 ] Open [ 1 ]
          Hide
          tomganor Tom Ganor added a comment -

          This issue will be replaced with a new one.

          Show
          tomganor Tom Ganor added a comment - This issue will be replaced with a new one.
          tomganor Tom Ganor made changes -
          Resolution Won't Do [ 10001 ]
          Status Open [ 1 ] Fixed but Unreleased [ 10203 ]
          tomganor Tom Ganor made changes -
          Status Fixed but Unreleased [ 10203 ] Closed [ 6 ]
          ircbot Jenkins IRC Bot made changes -
          Component/s _unsorted [ 19622 ]
          Component/s azure-vm-agents-plugin [ 21950 ]

            People

            Assignee:
            jieshe Jie Shen
            Reporter:
            tomganor Tom Ganor
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: