Migrate dn-bot-dnceng-workitems-rw PAT to Managed Identity#6484
Closed
missymessa wants to merge 4 commits intomainfrom
Closed
Migrate dn-bot-dnceng-workitems-rw PAT to Managed Identity#6484missymessa wants to merge 4 commits intomainfrom
missymessa wants to merge 4 commits intomainfrom
Conversation
DotNet.Status.Web uses this PAT to read/write AzDO work items in the dnceng org. The AzureDevOpsClient already supports MI auth. Changes: - settings.json: Remove AccessToken vault reference from AzureDevOps:dnceng - settings.Production.json: Add ManagedIdentityClientId for dotneteng-status - settings.Staging.json: Add ManagedIdentityClientId for dotneteng-status-staging - dotneteng-status-secrets.yaml: Remove dn-bot-dnceng-workitems-rw secret def The system-assigned MIs have been enrolled in the dnceng AzDO org with Stakeholder entitlement and [internal]\Contributors group membership.
garath
reviewed
Mar 26, 2026
src/DotNet.Status.Web/DotNet.Status.Web/.config/settings.Staging.json
Outdated
Show resolved
Hide resolved
Address review feedback: system-assigned identities should not pass a client ID to ManagedIdentityCredential. Add a UseManagedIdentity boolean to AzureDevOpsClientOptions that enables MI auth. When set without a ManagedIdentityClientId, the client creates ManagedIdentityCredential() (system-assigned). When a client ID is also provided, it creates ManagedIdentityCredential(clientId) (user-assigned). - Replace ManagedIdentityClientId with UseManagedIdentity: true in settings.Production.json and settings.Staging.json - Update AzureDevOpsClient constructor to branch on the new flag - Split bearer auth test into user-assigned and system-assigned cases - Remove placeholder client IDs from post-deployment tests
Both dn-bot-dnceng-workitems-rw (this PR) and dn-bot-dnceng-build-rw-code-rw-release-rw (PR #6485) are removed.
Member
Author
|
You're right — this is a duplicate of #6480, which also covers the \UseManagedIdentity\ flag changes. Closing in favor of that PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DotNet.Status.Web uses
dn-bot-dnceng-workitems-rwto read/write AzDO work items in the dnceng org. TheAzureDevOpsClientalready supports MI auth viaManagedIdentityClientId.Changes
AccessTokenvault reference fromAzureDevOps:dncengsectionManagedIdentityClientIdfordotneteng-statussystem-assigned MI (18a50a03-5832-4fc4-9a77-08efb53631c9)ManagedIdentityClientIdfordotneteng-status-stagingsystem-assigned MI (c6a4f831-a059-48bf-873d-4c9766ff6c26)dn-bot-dnceng-workitems-rwsecret definitionInfrastructure completed
dotneteng-status) enrolled in dnceng AzDO org with Stakeholder entitlement +[internal]\Contributorsdotneteng-status-staging) enrolled in dnceng AzDO org with Stakeholder entitlement +[internal]\ContributorsHow it works
When
ManagedIdentityClientIdis set andAccessTokenis empty,AzureDevOpsClientcreates aManagedIdentityCredentialand uses bearer tokens for all AzDO API calls. The basesettings.jsonstill setsOrganizationandMaxParallelRequests; the environment overlays add the MI client ID.Rollback
If issues arise, re-add
"AccessToken": "[vault(dn-bot-dnceng-workitems-rw)]"to theAzureDevOps:dncengsection insettings.jsonand re-add the secret definition to the vault manifest.Resolves AB#10113