Search code examples
azure-devopsazure-pipelinescicd

How to increase Client assertion time range in deploying azure biceps from DevOpsPipeline?

I have a big script which launching serval biceps files to set up my application infrastruture. I am running it in a devops pipeline.

My problem is that after 10 min, I have this error while my script is launching a new biceps file :

Client assertion is not within its valid time range. Current time: 2024-05-09T12:53:26.4180283Z, assertion valid from 2024-05-09T12:37:55.0000000Z, expiry time of assertion 2024-05-09T12:47:54.0000000Z

This script is execute using a pipeline :

trigger:


 - develop

pool:   vmImage: "windows-latest" variables:   BuildNumber: $(Build.BuildNumber)

steps:
  - task: AzureCLI@2
    displayName: "Deploy App Environment"
    inputs:
      azureSubscription: "Dev-AzureSubscription"
      scriptType: "ps"
      scriptLocation: scriptPath
      scriptPath: $(Build.SourcesDirectory)/mainBuildScirpt.ps1
      workingDirectory: $(Build.SourcesDirectory)

Dev-AzureSubscription have been using a federated token to connect to Azure via an Azure Application.

I have no idea how and where I can increase or at least control this 10 min timeout cofiguration for this connection.

Does someone have any ideas ?

Solution

  • I found the problem, my security team change the token max time from 24h to 15 min so my script was too long.

    I tried many way to refresh the token inside the azure CLI but didn't success. The only way that i found was to split my script into smaller script to make that the last biceps call from each script was lower than 15 min after the beggining.

    trigger:
  - develop

parameters:
- name: AzureConnectedService
  type: string
  default: 'Dev-AzureSubscription'

pool:
  vmImage: "windows-latest"
variables:
  BuildNumber: $(Build.BuildNumber)

steps:
  - task: AzureCLI@2
    displayName: "Deploy KeyVault"
    inputs:
      azureSubscription: ${{ parameters.AzureConnectedService}}
      scriptType: 'ps'
      scriptLocation: 'scriptPath'
      scriptPath: '$(Build.SourcesDirectory)/mainBuildScirptKeyVault.ps1'
      addSpnToEnvironment: true
      useGlobalConfig: true
      workingDirectory: '$(Build.SourcesDirectory)'

  - task: AzureCLI@2
    displayName: "Deploy SQL Database"
    inputs:
      azureSubscription: ${{ parameters.AzureConnectedService}}
      scriptType: 'ps'
      scriptLocation: 'scriptPath'
      scriptPath: '$(Build.SourcesDirectory)/mainBuildScirptSQLServer.ps1'
      addSpnToEnvironment: true
      useGlobalConfig: true
      workingDirectory: '$(Build.SourcesDirectory)'

---etc