Skip to content

Migrate dn-bot-dnceng-workitems-rw to Managed Identity (WI 10135)#6480

Open
missymessa wants to merge 6 commits intomainfrom
migrate-dn-bot-dnceng-workitems-rw-to-mi
Open

Migrate dn-bot-dnceng-workitems-rw to Managed Identity (WI 10135)#6480
missymessa wants to merge 6 commits intomainfrom
migrate-dn-bot-dnceng-workitems-rw-to-mi

Conversation

@missymessa
Copy link
Member

@missymessa missymessa commented Mar 21, 2026

Summary

Migrate the \dn-bot-dnceng-workitems-rw\ PAT (work_write scope, dnceng org) to Managed Identity in DotNet.Status.Web. The \AzureDevOpsClient\ shared library already supports MI auth via \ManagedIdentityClientId\ — this is a config-only change.

Changes (4 files)

  • settings.json: Remove [vault(dn-bot-dnceng-workitems-rw)]\ from \AzureDevOps:dnceng\ section
  • settings.Production.json: Add \AzureDevOps:dnceng:ManagedIdentityClientId\ → \d2580e46-e758-4778-a864-18f909438b45\
  • settings.Staging.json: Add \AzureDevOps:dnceng:ManagedIdentityClientId\ → \�9d81917-4c98-44cc-8a6e-601311ac3c07\
  • dotneteng-status-secrets.yaml: Remove \dn-bot-dnceng-workitems-rw\ vault entry

How it works

The \AzureDevOpsClient\ constructor (in src/Telemetry/AzureDevOpsClient/) already has MI support:

  1. If \AccessToken\ is set → PAT Basic auth (existing behavior)
  2. If \ManagedIdentityClientId\ is set → \ManagedIdentityCredential\ bearer token for \499b84ac-.../default\

By removing the vault reference and adding per-env MI client IDs, the client will automatically use MI auth in staging/production.

Related: AB#10135

missymessa and others added 4 commits March 18, 2026 09:07
@missymessa
PAT Migration: dn-bot-dnceng-build-r (telemetry)
ccd03a1
@missymessa
Merge branch 'main' of https://github.com/dotnet/dnceng
17cb36a
@missymessa
Migrate dn-bot-dnceng-workitems-rw to Managed Identity (WI 10135)
c1194bc 
The AzureDevOpsClient shared library already supports MI auth via
ManagedIdentityClientId. This change is config-only:

- settings.json: Remove [vault(dn-bot-dnceng-workitems-rw)] from AzureDevOps:dnceng
- settings.Production.json: Add AzureDevOps:dnceng:ManagedIdentityClientId (d2580e46-...)
- settings.Staging.json: Add AzureDevOps:dnceng:ManagedIdentityClientId (e9d81917-...)
- dotneteng-status-secrets.yaml: Remove dn-bot-dnceng-workitems-rw vault entry

The AzureDevOpsClient constructor already:
1. Prefers AccessToken (PAT) if present
2. Falls back to ManagedIdentityCredential if ManagedIdentityClientId is set
3. Uses the AzDO resource scope (499b84ac-.../default) for bearer tokens
@missymessa
Merge branch 'main' into migrate-dn-bot-dnceng-workitems-rw-to-mi
fb49e8a
garath
garath reviewed Mar 26, 2026
View reviewed changes
garath
garath reviewed Mar 26, 2026
View reviewed changes
@missymessa
Address review feedback: fix MI identity and yaml comment
6a3aac3 
1. Remove leftover comment from dotneteng-status-secrets.yaml (garath)
2. Replace wrong helix-cluster MI client IDs with UseManagedIdentity flag
   - Production and Staging settings now use 'UseManagedIdentity: true'
   - System-assigned MIs don't need a client ID (garath)
3. Add UseManagedIdentity bool to AzureDevOpsClientOptions
   - When true without ManagedIdentityClientId: system-assigned MI
   - When true with ManagedIdentityClientId: user-assigned MI
4. Split bearer auth test into user-assigned and system-assigned cases
5. Remove placeholder client IDs from post-deployment tests
@missymessa
Merge main: resolve conflict by removing both dead PAT entries
65d084e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@garath garath garath left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@missymessa @garath