When running Selenium-based Java automation tests, we often rely on external storage platforms, such as Azure Blob Storage, to manage test data or artifacts.
Using traditional access keys or credentials embedded in your application is risky and can lead to security vulnerabilities. A secure and scalable approach is to authenticate with Azure Blob Storage via Managed Identity, especially when automating tests locally or through CI/CD pipelines like GitHub Actions.
Getting Familiar with Azure Blob Storage
Azure Blob Storage is Microsoft’s cloud-based solution designed for storing massive amounts of unstructured data such as images, documents, backups, or log files. It provides convenient methods for uploading, downloading, and managing data through HTTP/HTTPS protocols, SDKs, and REST APIs.
Common access methods include using Shared Access Signatures (SAS tokens), access keys, or Azure Active Directory authentication. Among these, Azure Active Directory managed identities stand out due to their enhanced security features.
Exploring Managed Identity in Azure
Managed Identity is a unique Azure Active Directory feature that authenticates applications running on Azure resources. With Managed Identity, services such as web apps and virtual machines securely access other Azure resources like Azure Blob Storage without storing sensitive credentials or keys explicitly in the application code.
Implementing a managed identity ensures that credentials are derived at runtime automatically by Azure’s infrastructure. This greatly reduces the risk of credential theft or misuse.
Key Advantages:
- Eliminates sensitive information or credentials stored in code or configuration files.
- Simplifies authentication and authorization processes.
- Reduces manual rotation and management of keys and secrets.
Setting Up Managed Identity for Your Selenium Java Automation
To start, head over to the Azure Portal and navigate to your application resource (e.g., Azure App Service or Azure VM). Open the Identity blade and enable the system-assigned managed identity toggle. Azure automatically generates an identity tied specifically to your resource.
Next, you must assign this identity permissions to access your Blob Storage containers. In the Azure Blob Storage service, go to the Access Control (IAM) section and assign the appropriate “Storage Blob Data Contributor” or “Storage Blob Data Reader” role to your newly created managed identity.
Local Automation Run—Azure Authentication via Managed Identity
Azure provides convenient SDK libraries (like the Azure SDK for Java) that include built-in Managed Identity credential support. Update your Selenium Java Automation code to use credentials from the managed identity provided by your environment as follows:
BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()
.endpoint("https://.blob.core.windows.net")
.credential(new DefaultAzureCredentialBuilder().build())
.buildClient();
BlobContainerClient containerClient = blobServiceClient.getBlobContainerClient("automation-testdata");
BlobClient blobClient = containerClient.getBlobClient("test-data-file.json");
blobClient.downloadToFile("downloaded-test-data.json");
In local runs, Managed Identity usually leverages your local Azure login session, Azure CLI authentication, or environment variables configured beforehand. Before running tests locally, verify your Azure CLI is logged in by executing:
az login
If you haven’t yet installed Azure CLI locally, you can refer to Microsoft’s Azure CLI Installation Guide.
Using Managed Identity in GitHub Actions Pipelines
GitHub Actions are powerful workflows that run inside randomly assigned virtual machines managed by GitHub. Because these virtual environments do not inherently support Azure’s Managed Identity feature directly, additional steps are required.
The main challenge is ensuring the Azure-managed identity can authenticate without storing sensitive keys or secrets in your GitHub repository. A practical solution is using OpenID Connect (OIDC) federation to allow GitHub Actions workflows to access Azure resources securely and dynamically.
You can configure Azure AD to trust GitHub Actions through federated identity directly:
- Create an Azure AD application registration with federated credentials pointing to your GitHub repository and workflows.
- Add this application to the IAM roles on your Azure Blob Storage account.
Configure your GitHub Actions workflow YAML like this:
jobs:
run-tests:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Set up JDK 11
uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
- name: Run Selenium Java Automation Tests
run: |
./gradlew test
With this setup, your randomly assigned GitHub Actions instances securely authenticate with Azure Blob Storage without explicit credentials, thanks to GitHub Actions’ OIDC support.
After configuring your workflow, Selenium Java Automation scripts using DefaultAzureCredentialBuilder() will automatically detect managed credentials, whether locally authenticated or on GitHub-hosted runners.
Validating Automation Run in GitHub Actions Pipeline
Running tests on dynamically provisioned runners in GitHub Actions makes it essential to verify your infrastructure’s connectivity. Ensure that your Selenium automation script communicates successfully with Azure Blob Storage.
Consider adding assertions or logs to check the accessibility of the blob files:
if (blobClient.exists()) {
blobClient.downloadToFile("downloaded-file.json");
System.out.println("File downloaded successfully.");
} else {
throw new RuntimeException("Blob file does not exist.");
}
Above code snippets show a basic pattern to help verify accessibility during automation runs.
Best Practices & Tips
When using Managed Identity with Azure Blob Storage, consider these points:
- Security: Limit permissions assigned to your managed identities—principle of least privilege.
- Auditing: Regularly review your identity assignments and usage logs within Azure Monitor.
- Performance: Use efficient retrieval and caching techniques locally. Minimize unnecessary downloads in automation scripts.
Where Do We Go from Here?
Azure Managed Identity significantly simplifies security aspects in Selenium Java Automation tests, specifically when integrating cloud storage such as Azure Blob Storage. It secures your automation environment, both locally and within GitHub Actions CI/CD pipelines.
As more infrastructure moves securely into cloud platforms like Azure and CI/CD workflows like GitHub Actions, this Managed Identity approach can become a standard security practice, enhancing robust automation testing.
Have you tried integrating Managed Identity with your Azure-backed Selenium automation? Share your insights or challenges in the comments below!
0 Comments