Skip to main content

APP Registration & APP Permissions

To use authentification in GitLab using an App Registration (federated credentials) that doesn't require a service account (username/password), you must first create an App Registration that has permissions on the Azure AD/Resources you want to work with. You can use this PostIt link (see next sections) to request an App Registration and set the correct permissions.

App Registration creation

Please open a "Service Request" in PostIt specifying all the following information for the creation of an "Application Registration" and ask for a "Federated credentail" as authentification services:

  • Project Name
  • TDF Billing Account ID
  • Tenant Name
  • Environment type
  • Requester mail
  • Service Principal Name
  • Reply URL
  • Owner(s)
  • IP Address
  • Description (optionnal)

Postit url lin

All the above information are mandatory. The Description is not mandatory but very helpful in time while we do Axure AD Maintenance.

Get the Permission

Set the Permissions

In order to successfully implement your pipeline using federated credentials, use must add all Application Permissions that you pipeline needs before asking the Grant Consent

To add the permissions, in your Application Registration, select "API Permissions" in the left menu and click "Add a permission" img

Here the documnetation on which permission are available and auhorised here at Thales Digital Factory :

To activate the permissions that you just set in the previous step, you must complete a ticket using this Postit form link.

You need to provide:

  • A cost account "Select a TDF Account@
  • Project Name
  • Tenant Name
  • Environment type
  • Description,that must include the permissions type that you want the admin consent (ex.: Directory.Read.All)
  • Application ID
  • Requested APIs type (Application or delegate)
  • IP address used by your solution

Pipeline configuration

Manage federated credentials

Once the application is created and permissions are granted, go to the Azure portal, on "App Registration" (Left menu of Microsoft Entra or "Azure AD") and find your aplication.

Make note of the ClientID and TenantID in the Overview tab. Then go to "Certificates & Secrets" and select "Federated Credentials".

img

Complete the fields marked with an asterisk. Issuer, Subject and Audiences must be personalized.

Exemple:

• Issuer: https://gitlab.example.com

• Subject: project_path:<mygroup>/<myproject>:ref_type:branch:ref:<branch>

• Name: gitlab-federated-identity

• Description: GitLab service account federated identity

• Audiences: https://gitlab.example.com

Exemple of pipeline configuration

CI/CD jobs must use "Azure CLI" to obtain credentials:

Exemple of Azure CLI Code:

default: image: mcr.microsoft.com/azure-cli:latest

variables: AZURE_CLIENT_ID: "< ClientId_safe_earlier >" AZURE_TENANT_ID: "< TenantId_safe_earlier >"

auth: id_tokens: GITLAB_OIDC_TOKEN: aud: https://gitlab.com script:

  • az login --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --federated-token $GITLAB_OIDC_TOKEN
  • az account show