Azure Pipelines: Logging in using Workload Identity Federation
In my CI-pipeline I need to log in to azure key vault to check that my code, which handles keys, works correctly.
I have created a Workload Identity, called my_workload_identity, and given it reader-access to the key vault. I am not sure how to use it though.
Things I have tried:
I have found a possible way here:
az login --federated-token "$(cat $AZURE_FEDERATED_TOKEN_FILE)" --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID
That seems to get a token back, but when used in a AzureCLI@2
- task: AzureCLI@2
displayName: 'az login'
inputs:
azureSubscription: 'my_workload_identity'
scriptType: bash
scriptLocation: 'inlineScript'
inlineScript: |
az login --debug --federated-token "$(cat $AZURE_FEDERATED_TOKEN_FILE)" --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID
addSpnToEnvironment: true
it hangs forever. Later on I found out that it deletes the token by running az account clear anyway.
Then I tried running it in a bash-task:
- bash: |
az login --debug --federated-token "$(cat $AZURE_FEDERATED_TOKEN_FILE)" --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID
That also hangs forever and doesn't even seem to get a token back.
What is the correct way to authenticate using Workload Identity Federation in Azure Pipelines?
Edit for clarification:
Using AzureCLI@2 works, but only for the duration of that task. I am looking for a way for all (subsequent) tasks to be able to use the federated identity.
when trying to access the Azure resources from pipelines in Azure DevOps, it is recommended creating and using an Azure Resource Manager service connection (ARM service connection) in Azure DevOps.
To create an ARM service connection with workload identity federation, you can follow the steps below:
In the Azure DevOps project where you pipeline is in, go to "Project Settings" > "Service connections" to create the new ARM service connection.
Select "Azure Resource Manager" > select "Workload Identity federation (manual)" if you have a Service Principal existing. Give a customized name to the service connection to complete Step 1. Click "Next" to open Step 2.
Open Azure Portal on a new tab/window of the browser. go to "Microsoft Entra ID" > "App registrations", find and open the Service Principal. The go to "Certificates & secrets" > "Federated credentials" tab to add a new credential.
Fill in the required information on the new credential.
- Federated credential scenario:
Other issuer - Issuer: Copy from Step 2 on the new service connection window.
- Subject identifier: Copy from Step 2 on the new service connection window.
- Name: A customized name of the new credential.
- Federated credential scenario:
Back to the new service connection window to complete Step 2.
After completing above steps, in the pipelines, you can use this ARM service connection on the AzureCLI@2, AzurePowerShell@5 and other Azure related tasks to connect to Azure.
For more details, you also can reference the documentation "Connect to Azure by using an Azure Resource Manager service connection".
EDIT:
If you want to persist the workload identity federation token from the AzureCLI@2 task and use the same token in the subsequent tasks within the same job, you can set the credential as the pipeline variables in the Azure CLI task.
You can follow the steps below:
Enable the option '
addSpnToEnvironment' (Access service principal details in script) on theAzureCLI@2task.Then use a PowerShell, Bash or CmdLine task to execute the
az logincommand with the credential by referencing the pipeline variables.
steps:
- task: AzureCLI@2
displayName: 'Azure CLI '
inputs:
azureSubscription: ArmServiceConnection
addSpnToEnvironment: true
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
echo "##vso[task.setvariable variable=ARM_ID_TOEKN]$idToken"
echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"
- bash: |
az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOEKN)
displayName: 'Login Azure'
- Some subsequent tasks . . .
With above configurations, the subsequent tasks can directly use the credential without az login again.
Related documeation:
- Secret Pipeline Parameter in Azure Devops
- Build validation on Azure DevOps branch: YAML in different repository?
- How to Generate .AAB file and Sign Android app Bundle using azure pipeline
- Azure pipeline - run shell script on the remote server
- How to Enable Docker layer caching in Azure DevOps
- Make Azure Keyvault secrets available in entire pipeline
- Notification send when second pipeline run completes
- Variable evaluates fine for displayName but not for condition, why is that?
- Triggering 2nd Azure Pipeline After Successful Run on 1st pipeline
- Unexpected value 'condition'
- mvn release + azure pipeline - deploy
- Azure DevOps - More Than One Build Agent?
- Why don't webjobs do not appear in the portal?
- How to deploy .NET Core 3.1 project to webjob?
- How to securely login in Az CLI from a DevOps Pipeline
- Azure Devops Pipeline - Job Display Name Based on Matrix
- Add dummy agent to agent pool
- Pull and Push Docker Image task to ACR fails in Azure Devops Pipeline "unauthorized: Invalid clientid or client secret."
- How to publish and visualiuse custom KPIs in azure devops with PowerBI?
- Cannot push git tags in Azure Devops pipeline
- Azure DevOps Pipeline to check if artifacts exists from a specific pipeline, if not found then trigger the pipeline
- How to get the github repo name in Azure pipeline
- Azure cli cant connect due to Invalid client secret provided
- .NET 8 in Azure DevOps gives "Error NETSDK1112: The runtime pack for Microsoft.NETCore.App.Runtime.win-x64 was not downloaded"
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Azure PR build won't queue in pipeline
- Azure pipelines conditions with each loop inside the condition
- Unable to publish NuGet packages to a feed in the same organization in Azure DevOps Artifact
- ADO Template Expression condition for Pools using variable groups
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken