Remove uses of CLRJIT_AZ_KEY/clrjit_key1 from SPMI #104164
Conversation
ghost
added
the
needs-area-label
JulieLeeMSFT
added
area-CodeGen-coreclr
|
Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch |
|
CC @agocke @jkoritzinsky. |
|
@hoyosjs, we need your code review that removes the Azure Key from SPMI collection. |
|
Can we see a test run of the superpmi-collect pipeline with these changes (and a different JIT-EE guid to avoid overwriting existing collections)? |
| scriptType: 'pscore' | ||
| scriptLocation: 'inlineScript' | ||
| inlineScript: | | ||
| $Env:AZCOPY_AUTO_LOGIN_TYPE="AZCLI" |
There was a problem hiding this comment.
@hoyosjs not sure I understand the question. we don't use azcopy here explicitly, but we use AzureCliCredential provider inside the python script we invoke here.
Perhaps, we can also remove it and use DefaultAzureCredential I didn't test it - is it an issue?
There was a problem hiding this comment.
It's not an issue - but DefaultAzureCredential should be enough. The only caveat BTW is the possibility that DefaultAzureCredential might pick up other ambient identities (MI's and Workload identities) before the Az CLI creds. if you ever hit this, just swap DefaultAzureCredential for AzureCliCredential
There was a problem hiding this comment.
Replaced AzureCliCredential with DefaultAzureCredential
|
Just checked and the perms on the MI sound reasonable on the account and the service connection also looks good. |
I've kicked off two runs:
Since both of them use the key. |
Seem to be working correctly. Do we need to save our current key somewhere or it's fine to just delete it? |
Just make sure we have backup. lets talk offline. |
Instead, we use
azure.identityazure package andAzureCliCredential