Add support for Azure AD service Principals #506
Comments
|
+1, PAT tokens must be rotated manually and long-lived PATs are a potential security risk. My team would find it very helpful if there was a built-in way to use AD/Entra tokens for these tasks. |
|
+1, especially now as MSI and service principal authentication are out of preview in Azure DevOps |
|
@michvllni Make sure you check out the blog, it allows you to already switch over. |
|
@jessehouwing there are some scenarios where overriding service connection values using task.setendpoint is blocked due to restricted commands. It would be really great to have this as part of the task itself for those scenarios where the workaround doesn't work. |
…ad of PATs and client secrets (#2082) #### Details Our release pipelines for the ADO extension utilize a Visual Studio Marketplace Service Connection with a PAT to publish to the Visual Studio Marketplace. This PR creates a new template task (`generate-vs-marketplace-token.yaml`) that uses AzureCLI to generate an access token for that service connection to use instead. This template is then used directly before the tasks that involve the VS Marketplace SC (the `QueryVersion` task in `package-vsix-file.yaml` and the `PublishAzureDevOpsExtension` task in `publish-vsix-file.yaml`). Additionally, this PR implements the new ESRP signing task that uses managed identity with federated credentials instead of client secrets to authenticate. It also deletes the yaml file for the pipeline that creates a new ESRP service connection since that type of service connection is no longer used in the signing task and we won't need to regenerate the entire SC during secret rotation anymore. ##### Motivation Security improvements ##### Context This solution for removing PAT usage in the VS Marketplace Publishing step was based on [this workflow](https://jessehouwing.net/publish-azure-devops-extensions-using-workload-identity-oidc/), linked from [this issue](microsoft/azure-devops-extension-tasks#506) in microsoft/azure-devops-extension-tasks. These changes coincide with the addition of the following new variables to the pipeline in ADO (documenting here in case they ever need to be changed): `linuxImage`: the name of the linux image in the hosted pool to be used for this pipeline (currently set to `ubuntu-22.04-secure`) `MARKETPLACE_RESOURCE_ID`: the resource ID of the VS Marketplace SC `esrp-app-registration-client-id`: the client ID of the ESRP Signing app registration `esrp-app-registration-tenant-id`: the tenant where the ESRP Signing app registration lives #### Pull request checklist <!-- If a checklist item is not applicable to this change, write "n/a" in the checkbox --> - [n/a] Addresses an existing issue: Fixes #0000 - [n/a] Added relevant unit test for your changes. (`yarn test`) - [n/a] Verified code coverage for the changes made. Check coverage report at: `<rootDir>/test-results/unit/coverage` - [x] Ran precheckin (`yarn precheckin`)
|
Is there an ETA for merging 204ae18 to main branch? This help for those that uses version query. |
Version query should work fine with the workaround described in my blog. I originally started with this hack, but I don't want to support yet another sneak-solution to infinity. |
|
@jessehouwing Yea the workaround in your blog is helpful, but for me the setendpoint doesn't work. I suspect it is because my WIF is connecting to a different tenant. And due to policy/design I can't move the service principal to the same tenant with my azure devops. |
|
Then the environment variables override isn't going to help you I'm afraid. |
|
From the public preview blog post, it looks like Azure is the only service connection that supports WIF right now. |
|
I'd love that. There is an existing npm package that already contains all the magic to get the access token. Ideally the Azure DevOps Service connection would have an option to select Azure or the existing service connection and optionally a text box for a token input. Be sure to set the defaults in such a way that existing tasks don't break. |
|
@jessehouwing Sorry I am not familiar with the flow of release of this task. When will the v5 be available to use? Can't wait to use it :) |
I've created a sample workflow that uses a AzureCLI step to overwrite the PAT with a OIDC job token:
https://jessehouwing.net/publish-azure-devops-extensions-using-workload-identity-oidc/
In the future I want to move that functionality straight into the task.
The text was updated successfully, but these errors were encountered: