Azure Pipelines: Logging in using Workload Identity Federation
In my CI-pipeline I need to log in to azure key vault to check that my code, which handles keys, works correctly.
I have created a Workload Identity, called my_workload_identity, and given it reader-access to the key vault. I am not sure how to use it though.
Things I have tried:
I have found a possible way here:
az login --federated-token "$(cat $AZURE_FEDERATED_TOKEN_FILE)" --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID
That seems to get a token back, but when used in a AzureCLI@2
- task: AzureCLI@2
displayName: 'az login'
inputs:
azureSubscription: 'my_workload_identity'
scriptType: bash
scriptLocation: 'inlineScript'
inlineScript: |
az login --debug --federated-token "$(cat $AZURE_FEDERATED_TOKEN_FILE)" --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID
addSpnToEnvironment: true
it hangs forever. Later on I found out that it deletes the token by running az account clear anyway.
Then I tried running it in a bash-task:
- bash: |
az login --debug --federated-token "$(cat $AZURE_FEDERATED_TOKEN_FILE)" --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID
That also hangs forever and doesn't even seem to get a token back.
What is the correct way to authenticate using Workload Identity Federation in Azure Pipelines?
Edit for clarification:
Using AzureCLI@2 works, but only for the duration of that task. I am looking for a way for all (subsequent) tasks to be able to use the federated identity.
when trying to access the Azure resources from pipelines in Azure DevOps, it is recommended creating and using an Azure Resource Manager service connection (ARM service connection) in Azure DevOps.
To create an ARM service connection with workload identity federation, you can follow the steps below:
In the Azure DevOps project where you pipeline is in, go to "Project Settings" > "Service connections" to create the new ARM service connection.
Select "Azure Resource Manager" > select "Workload Identity federation (manual)" if you have a Service Principal existing. Give a customized name to the service connection to complete Step 1. Click "Next" to open Step 2.
Open Azure Portal on a new tab/window of the browser. go to "Microsoft Entra ID" > "App registrations", find and open the Service Principal. The go to "Certificates & secrets" > "Federated credentials" tab to add a new credential.
Fill in the required information on the new credential.
- Federated credential scenario:
Other issuer - Issuer: Copy from Step 2 on the new service connection window.
- Subject identifier: Copy from Step 2 on the new service connection window.
- Name: A customized name of the new credential.
- Federated credential scenario:
Back to the new service connection window to complete Step 2.
After completing above steps, in the pipelines, you can use this ARM service connection on the AzureCLI@2, AzurePowerShell@5 and other Azure related tasks to connect to Azure.
For more details, you also can reference the documentation "Connect to Azure by using an Azure Resource Manager service connection".
EDIT:
If you want to persist the workload identity federation token from the AzureCLI@2 task and use the same token in the subsequent tasks within the same job, you can set the credential as the pipeline variables in the Azure CLI task.
You can follow the steps below:
Enable the option '
addSpnToEnvironment' (Access service principal details in script) on theAzureCLI@2task.Then use a PowerShell, Bash or CmdLine task to execute the
az logincommand with the credential by referencing the pipeline variables.
steps:
- task: AzureCLI@2
displayName: 'Azure CLI '
inputs:
azureSubscription: ArmServiceConnection
addSpnToEnvironment: true
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
echo "##vso[task.setvariable variable=ARM_ID_TOEKN]$idToken"
echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"
- bash: |
az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOEKN)
displayName: 'Login Azure'
- Some subsequent tasks . . .
With above configurations, the subsequent tasks can directly use the credential without az login again.
Related documeation:
- Azure Devops - How to pass database connection string as environment variable dynamically (azure cli)
- Azure yaml trigger pipeline every 14 days on a Saturday
- How can I give a containerRegistry to a DevcontainersCi task in an Azure DevOps YAML Pipeline?
- Updating Node js on internal windows ADO build agent
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- DotNetCLI@2 pack seems to be ignoring configuration inputs
- Build a pipeline in AzureDevOps for Sql Server on prem to run sql scripts
- How to allow an empty string for a runtime parameter?
- No 'Import a pipeline' button in Azure DevOps
- ASP.NET Azure Web App Pipeline: No package found with specified pattern: D:\a\1\s\**\*.zip
- Error when creating a pipeline. "You don’t appear to have an active Azure subscription."
- ADO YAML Pipelines | How to get secret variable from a variable group based on the value of another variable
- Azure Devops - Get release definitions by agent pool ID
- Azure Pipelines using YAML for multiple environments (stages) with different variable values but no YAML duplication
- How to specify which version of nuget.exe to use with self-hosted agent in Azure DevOps?
- Access Azure DevOps Pipeline Artifacts from different organization
- Initiate Azure DevOps Release Pipeline from Logic App and Retrieve Environment Variable Output from the pipeline
- Why is Azure Pipelines installing the wrong .NET SDK version (according to global.json)
- Azure pipeline does't allow to git push throwing 'GenericContribute' permission is needed
- Azure Devops - How to START one stage before parallel stages?
- Dynamically populate DependsOn in Azure DevOps Yaml job
- Issue with AzurePowerShell@5 task: 'The term 'pwsh.exe' is not recognized as the name of a cmdlet, function, script file, or operable program."
- Azure Devops pipeline, git authentication only works with -c http.extraheader
- How to find the associated pipeline in Azure DevOps from a given yaml file?
- Pass variables to the SqlAzureDacpacDeployment@1 task of a SQL Server instance while running an Azure Pipeline
- Error Deploying Apps on K8 on-Prem Cluster using Azure Devops CI/CD pipeline
- Post-Job taking a long time in Azure DevOps Pipelines
- Add PIM role assignment with PowerShell - Access issue
- Add environment to Pipeline stuck in "connecting to server"
- az role assignment delete: The request did not have a subscription or a valid tenant level resource provider