From ff18e349c20fa757dbb994b898469ff0a8259fab Mon Sep 17 00:00:00 2001 From: Missy Messa Date: Mon, 30 Mar 2026 20:05:56 -0700 Subject: [PATCH 1/2] PAT Migration: dn-bot-dnceng-build-r-code-r-project-r-profile-r (dotneteng-status) AB#10136 Migrate the build-monitor/dnceng PAT to dotneteng-status-identity Managed Identity for Entra bearer-token authentication. Changes: - settings.json: Remove AccessToken vault reference from build-monitor/dnceng - settings.Staging.json: Add ManagedIdentityClientId for build-monitor/dnceng - settings.Production.json: Add ManagedIdentityClientId for build-monitor/dnceng - dotneteng-status-secrets.yaml: Deprecate dn-bot-dnceng-build-r-code-r-project-r-profile-r Infrastructure (out-of-repo): - Created dotneteng-status-identity MI in monitoring RG (both subscriptions) - Assigned MI to dotneteng-status / dotneteng-status-staging App Services - Added both MIs as service principals in dnceng AzDO org - Granted [internal] Readers access to both prod and staging MIs --- .vault-config/shared/dotneteng-status-secrets.yaml | 13 +++++-------- .../.config/settings.Production.json | 5 +++++ .../DotNet.Status.Web/.config/settings.Staging.json | 5 +++++ .../DotNet.Status.Web/.config/settings.json | 1 - 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/.vault-config/shared/dotneteng-status-secrets.yaml b/.vault-config/shared/dotneteng-status-secrets.yaml index 9364de9db..0ae267aab 100644 --- a/.vault-config/shared/dotneteng-status-secrets.yaml +++ b/.vault-config/shared/dotneteng-status-secrets.yaml @@ -25,13 +25,10 @@ dn-bot-dnceng-workitems-rw: name: dn-bot-account-redmond location: helixkv +# DEPRECATED (AB#10136): Migrated to dotneteng-status-identity Managed Identity. +# Remove this entry and the corresponding Key Vault secrets after validating +# the MI works in production. dn-bot-dnceng-build-r-code-r-project-r-profile-r: - type: azure-devops-access-token + type: text parameters: - organizations: dnceng - scopes: build code project profile - requiredScopes: Build (Read) Code (Read) Project (Read) Profile (Read) - domainAccountName: dn-bot - domainAccountSecret: - name: dn-bot-account-redmond - location: helixkv + description: "DEPRECATED - Migrated to Managed Identity (dotneteng-status-identity). Pending cleanup." diff --git a/src/DotNet.Status.Web/DotNet.Status.Web/.config/settings.Production.json b/src/DotNet.Status.Web/DotNet.Status.Web/.config/settings.Production.json index 8b35eb893..8b31a31e1 100644 --- a/src/DotNet.Status.Web/DotNet.Status.Web/.config/settings.Production.json +++ b/src/DotNet.Status.Web/DotNet.Status.Web/.config/settings.Production.json @@ -29,5 +29,10 @@ "KustoIngestionUri": "https://ingest-engsrvprod.westus.kusto.windows.net", "ManagedIdentityId": "d2580e46-e758-4778-a864-18f909438b45", "UseAzCliAuthentication": false + }, + "AzureDevOps": { + "build-monitor/dnceng": { + "ManagedIdentityClientId": "b73bcdd4-aba9-40a7-af0c-f95b8eb5ab62" + } } } diff --git a/src/DotNet.Status.Web/DotNet.Status.Web/.config/settings.Staging.json b/src/DotNet.Status.Web/DotNet.Status.Web/.config/settings.Staging.json index 73234bbb2..8697d9c1c 100644 --- a/src/DotNet.Status.Web/DotNet.Status.Web/.config/settings.Staging.json +++ b/src/DotNet.Status.Web/DotNet.Status.Web/.config/settings.Staging.json @@ -30,5 +30,10 @@ "KustoIngestionUri": "https://ingest-engdata.westus2.kusto.windows.net", "ManagedIdentityId": "e9d81917-4c98-44cc-8a6e-601311ac3c07", "UseAzCliAuthentication": false + }, + "AzureDevOps": { + "build-monitor/dnceng": { + "ManagedIdentityClientId": "8cd89985-08e4-4baa-86f1-76ee58b6b393" + } } } diff --git a/src/DotNet.Status.Web/DotNet.Status.Web/.config/settings.json b/src/DotNet.Status.Web/DotNet.Status.Web/.config/settings.json index 62f7fafa9..ac7107f3e 100644 --- a/src/DotNet.Status.Web/DotNet.Status.Web/.config/settings.json +++ b/src/DotNet.Status.Web/DotNet.Status.Web/.config/settings.json @@ -20,7 +20,6 @@ "AzureDevOps": { "build-monitor/dnceng": { "Organization": "dnceng", - "AccessToken": "[vault(dn-bot-dnceng-build-r-code-r-project-r-profile-r)]", "MaxParallelRequests": 10 }, "dnceng": { From 1fe58e58a767208295577990a7529cfe6cfc4174 Mon Sep 17 00:00:00 2001 From: Missy Messa Date: Thu, 2 Apr 2026 15:44:58 -0700 Subject: [PATCH 2/2] Remove deprecated PAT entry from secret manifest Fully delete the dn-bot-dnceng-build-r-code-r-project-r-profile-r entry instead of deprecating it to type:text, per secret-manager tooling rules. --- .vault-config/shared/dotneteng-status-secrets.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.vault-config/shared/dotneteng-status-secrets.yaml b/.vault-config/shared/dotneteng-status-secrets.yaml index 90485201a..d4744de03 100644 --- a/.vault-config/shared/dotneteng-status-secrets.yaml +++ b/.vault-config/shared/dotneteng-status-secrets.yaml @@ -14,8 +14,3 @@ app-insights-connection-string: type: text parameters: description: The connection string for application insights. Go to the Azure resource for application insights -> Configure -> Properties -> Get the connection string - -dn-bot-dnceng-build-r-code-r-project-r-profile-r: - type: text - parameters: - description: "DEPRECATED - Migrated to Managed Identity (dotneteng-status-identity). Pending cleanup."