英文:
Signing OCI and Docker Images with cosign in GitHub actions using keyvault
问题
我想要使用 [cosign](https://github.com/sigstore/cosign) 来签名我的 Docker 镜像,但不想手动管理每个仓库的私钥,而是想使用 Azure 密钥保管库 (Key Vault)。
在我的本地计算机上,这个操作完全正常:
```bash
cosign sign --key azurekms://<myvault>.vault.azure.net/<key-name> <my-image>
现在我想在 GitHub Actions 中自动化这个过程。我构建了镜像,登录到了注册表,登录到了 Azure(使用 Azure 服务主体以及联合身份验证凭据 OIDC),然后运行 cosign。但是出现了以下错误:
cosign sign --key azurekms://MyKeyVault.vault.azure.net/MyKeyName myimage@digest
Error: public key: public key: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://***.vault.azure.net/keys/MyKeyName/?api-version=7.1: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net
main.go:74: error during command execution: public key: public key: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://***.vault.azure.net/keys/MyKeyName/?api-version=7.1: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net
登录到 Azure 可以正常工作,我可以无问题地运行 az keyvault key list。但 cosign 却不起作用。有人可以帮忙吗?
这是我的 GitHub Actions 工作流程:
name: Docker-Build
on:
push:
permissions:
id-token: write
contents: read
packages: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install cosign
uses: sigstore/cosign-installer@v3
- name: Setup Docker buildx
uses: docker/setup-buildx-action@v2
- name: Log into registry DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.MY_DOCKERHUB_USER }}
password: ${{ secrets.MY_DOCKERHUB_TOKEN }}
- name: Log in with Azure
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@v4
with:
tags: ${{ github.actor }}/myimage:${{ github.ref_name }}
- name: Sign the published Docker image
run: |
# Works
az keyvault key list --id {{ secrets.COSIGN_KEY_STORE }}
# Does not work
cosign sign --key ${{ secrets.COSIGN_KEY_STORE }} ${{ github.actor }}/myimage@${{ github.ref_name }}
我尝试使用具有机密和 OpenID Connect (OIDC) 的服务主体,以及使用联合身份验证凭据的 Azure 服务主体 - 没有任何区别。
我还更改了范围并使用了 az cli(这可以正常工作)。
我现在没有更多的想法了。
<details>
<summary>英文:</summary>
I want to sign my Docker images with [cosign ](https://github.com/sigstore/cosign) but instead of manually managing my private key for each repo I want to use a keyvault (azure).
This works perfectly on my local pc:
```bash
cosign sign --key azurekms://<myvault>.vault.azure.net/<key-name> <my-image>
Now I want to automate it in GitHub Actions. I build the image, log into the registries, log into azure (using (OIDC) with a Azure service principal using a Federated Identity Credential), and run cosign. And it fails with:
cosign sign --key azurekms://MyKeyVault.vault.azure.net/MyKeyName myimage@digest
Error: public key: public key: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://***.vault.azure.net/keys/MyKeyName/?api-version=7.1: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net
main.go:74: error during command execution: public key: public key: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://***.vault.azure.net/keys/MyKeyName/?api-version=7.1: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net
The login into azure works and I can run az keyvault key list without a problem. But cosign does not work. Can someone help?
This is my GH Action workflow:
name: Docker-Build
on:
push:
permissions:
id-token: write
contents: read
packages: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install cosign
uses: sigstore/cosign-installer@v3
- name: Setup Docker buildx
uses: docker/setup-buildx-action@v2
- name: Log into registry DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.MY_DOCKERHUB_USER }}
password: ${{ secrets.MY_DOCKERHUB_TOKEN }}
- name: Log in with Azure
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@v4
with:
tags: ${{ github.actor }}/myimage:${{ github.ref_name }}
- name: Sign the published Docker image
run: |
# Works
az keyvault key list --id {{ secrets.COSIGN_KEY_STORE }}
# Does not work
cosign sign --key ${{ secrets.COSIGN_KEY_STORE }} ${{ github.actor }}/myimage@${{ github.ref_name }}
I tried using a service principal with secrets and OpenID Connect (OIDC) with a Azure service principal using a Federated Identity Credential - no differance.
I also changed the scopes and use the az cli (which works)
I'm beyond ideas right now
答案1
得分: 0
从你找到的代码中,有一个未记录的变量,AZURE_AUTH_METHOD=cli,可以设置它来改变身份验证方式,从使用环境变量改为使用CLI:
- name: 对发布的Docker镜像进行签名
env:
AZURE_AUTH_METHOD: cli
run: |
cosign sign --key ${{ secrets.COSIGN_KEY_STORE }} ${{ github.actor }}/myimage@${{ github.ref_name }}
英文:
From the code you found, there's an undocumented variable, AZURE_AUTH_METHOD=cli, to set that will change the authentication from using environment variables to using the CLI:
- name: Sign the published Docker image
env:
AZURE_AUTH_METHOD: cli
run: |
cosign sign --key ${{ secrets.COSIGN_KEY_STORE }} ${{ github.actor }}/myimage@${{ github.ref_name }}
Original answer:
Cosign needs the following environment variables defined:
- AZURE_TENANT_ID
- AZURE_CLIENT_ID
- AZURE_CLIENT_SECRET
Reference: https://docs.sigstore.dev/cosign/kms_support/#azure-key-vault
I believe that would look something like:
- name: Sign the published Docker image
env:
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
run: |
cosign sign --key ${{ secrets.COSIGN_KEY_STORE }} ${{ github.actor }}/myimage@${{ github.ref_name }}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论