Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54935

Adding a new configuration to the azure-vm-agents-plugin to add VM to AAD security group

    Details

    • Similar Issues:

      Description

      Adding a new configuration to the azure-vm-agents-plugin that can be modified when a VM is deployed. 

      The new configuration should provide us the ability to add a VM to an Azure Active Directory security group.

      This is necessary because a cloud security group in Azure Active Directory is required to provide a single alias for KV access policies.

        Attachments

          Activity

          Hide
          jieshe Jie Shen added a comment -

          Hi Tom Ganor, it seems that this is not an option which could be set during the VM creation. Could you please provide any detailed document about how to set it manually so that I can find out how to enable this for this plugin.

          Show
          jieshe Jie Shen added a comment - Hi Tom Ganor , it seems that this is not an option which could be set during the VM creation. Could you please provide any detailed document about how to set it manually so that I can find out how to enable this for this plugin.
          Hide
          tomganor Tom Ganor added a comment - - edited

          Hi Jie Shen, to the best of my knowledge, there are two ways to do this manually:
          1. In the Azure portal you go to Azure Active Directory -> choose an existing security group -> members -> Add members
          (An example is attached)
          2. In Jenkins, in the "VM First Startup Configuration" -> "Initialization Script", it is possible to add a VM to a specific security group in AAD using
          the following: Add-AzureADGroupMember -ObjectId $group_id -RefObjectId $vm.Identity.PrincipalId
          where $group_id specifies the ID of a group in Azure Active Directory, and $vm.Identity.PrincipalId specifies
          the ID of the Active Directory object that will be assigned as owner/manager/member (VM in our case).

           

          Show
          tomganor Tom Ganor added a comment - - edited Hi Jie Shen , to the best of my knowledge, there are two ways to do this manually: 1. In the Azure portal you go to Azure Active Directory -> choose an existing security group -> members -> Add members (An example is attached) 2. In Jenkins, in the "VM First Startup Configuration" -> "Initialization Script", it is possible to add a VM to a specific security group in AAD using the following: Add-AzureADGroupMember -ObjectId $group_id -RefObjectId $vm.Identity.PrincipalId where $group_id specifies the ID of a group in Azure Active Directory, and $vm.Identity.PrincipalId specifies the ID of the Active Directory object that will be assigned as owner/manager/member (VM in our case).  
          Hide
          jieshe Jie Shen added a comment -

          Hi Tom Ganor, in your case, I think using the Initialization Script should be more reasonable since this plugin focuses on creating a VM and using the VM as a Jenkins agent. Adding the created VM to a security group is out of this scope. I think it is a AAD management operation.

          Show
          jieshe Jie Shen added a comment - Hi Tom Ganor , in your case, I think using the Initialization Script should be more reasonable since this plugin focuses on creating a VM and using the VM as a Jenkins agent. Adding the created VM to a security group is out of this scope. I think it is a AAD management operation.
          Hide
          tomganor Tom Ganor added a comment -

          Hi Jie Shen, thanks for the input. I found an alternative way to solve this problem using User Assigned Managed Identities.

          Therefore, the new configuration that is needed is adding a user assigned identity to a VM (which is possible through the azure portal).

          Should I open a new ticket for this?

          Show
          tomganor Tom Ganor added a comment - Hi Jie Shen , thanks for the input. I found an alternative way to solve this problem using User Assigned Managed Identities. Therefore, the new configuration that is needed is adding a user assigned identity to a VM (which is possible through the azure portal). Should I open a new ticket for this?
          Hide
          jieshe Jie Shen added a comment -

          Tom Ganor Adding User Assigned Managed Identities support for this plugin makes sense. So please close this issue and open a new one for that, thanks.

          Show
          jieshe Jie Shen added a comment - Tom Ganor Adding User Assigned Managed Identities support for this plugin makes sense. So please close this issue and open a new one for that, thanks.
          Hide
          tomganor Tom Ganor added a comment -

          This issue will be replaced with a new one.

          Show
          tomganor Tom Ganor added a comment - This issue will be replaced with a new one.

            People

            • Assignee:
              jieshe Jie Shen
              Reporter:
              tomganor Tom Ganor
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: