Workload Identity Federation Preview

[tehcrashxor]

With the release of Power Platform Build Tools v2.0.69 and its underlying PAC v1.32.6, Service Principals can now authenticate with OpenID Connect (OIDC), federated with Azure DevOps . This enables the removal of Service Connections with Client Secrets.

To use this new option:

1. Create a new Power Platform Service Connection, select "Workload Identity federation (preview)", and supply your Dataverse Organization URL, Service Principal ID (App ID), and Tenant ID
2. Configure the App Registration in the Azure Portal with federated credentials to your Azure DevOps org

Add Federated Credentials to the App Registration

1. Go to App registrations in the Azure Portal and open the app associated with your Service Principal
2. Select Certificates and Secrets in the Manage panel
   
3. In the Federated credentials tab, select Add credential
   
4. Select the credential scenario Other issuer, and set the Issuer and Subject identifier fields for your Azure DevOps Service Connection
   

• The Issuer field must be https://vstoken.dev.azure.com/[AzureDevOpsOrganizationID]
• The Subject identifier field must be in the format sc://[AzureDevOpsOrganizationName]/[AzureDevOpsProjectName]/[AzureDevOpsServiceConnectionName]
• If these values are missing or misconfigured, running any of the Power Platform Build Tools tasks with a misconfigured Workload identity will output the expected values to the Pipeline logs.

[richardcarrigan]

This is HUGE and works perfectly for tasks which invoke the service connection directly.

For one of my use cases, however, I'm running pac auth create --url $url --name $envName --applicationId $applicationId --tenant $tenant --azureDevOpsFederated inside of a Bash script file executed by the ADO pipeline, but I'm getting the error Error: Execution environment is either not an Azure DevOps Pipeline or is not configued correctly. Required PAC_ADO_ID_TOKEN_REQUEST_TOKEN or PAC_ADO_ID_TOKEN_REQUEST_URL environment variables are missing. When I try to inject these into the Bash execution environment using the env param for the Bash@3 task, I then get the error Error: Request to Azure DevOps Token Federation endpoint failed.

# azure-pipelines.yml

- task: Bash@3
  displayName: Deploy solutions
  inputs:
    filePath: 'deploySolutions.sh'
  env:
    url: $(PP_ENV_URL)
    envName: $(PP_ENV_NAME)
    applicationId: $(CLIENT_ID)
    tenant: $(TENANT)
    PAC_ADO_ID_TOKEN_REQUEST_TOKEN: $(PAC_ADO_ID_TOKEN_REQUEST_TOKEN)
    PAC_ADO_ID_TOKEN_REQUEST_URL: $(PAC_ADO_ID_TOKEN_REQUEST_URL)

# deploySolutions.sh

pac auth create --url $url --name $envName --applicationId $applicationId --tenant $tenant --azureDevOpsFederated

What am I missing?

[devkeydet]

I think @tehcrashxor explained to me that the way Azure DevOps works with all this, you need to call a task that uses the SPN first. Can you try to call the whoami task first, then try again?

[tehcrashxor]

The error message Error: Request to Azure DevOps Token Federation endpoint failed indicates that PAC's request to the ADO API to get the OIDC token got a non-success response. ADO auth APIs usually don't return much in the way of useful information for determining what went wrong, so we end up with guesswork trying to figure out what needs to be updated.

As @devkeydet said, the issue might be that you haven't executed a Task within that Job using the needed Service Connection. ADO does not load the Service Connections into the pipeline until they're used in a task, so it could be that just doing a WhoAmI task above might resolve the issue.

Perhaps the value you are setting for the Token is wrong?
The tasks set the PAC_ADO_ID_TOKEN_REQUEST_TOKEN for consumption in PAC here in getCredentials.ts, which you can also do by setting it to the System.AccessToken such as:

- task: Bash@3
  # ....
  env:
    PAC_ADO_ID_TOKEN_REQUEST_TOKEN: $(System.AccessToken)

Perhaps the value you are setting for the Request URL is wrong?
The request URL defined in the API here requires values dependent on the current Job execution, and thus change every time that Job is executed. Our code here in getCredential.ts is able to set most of the fields in the Request URL from Environment Variables set by the pipeline, but the Service Connection ID is not set in a convenient way to grab within a script. That ID however can be found by opening up the Service Connection in the UI, and taking the resourceId GUID that appears in the address bar.

[richardcarrigan]

Thank you @devkeydet and @tehcrashxor for the advice. Unfortunately, even after adding the PowerPlatformToolInstaller@2 and PowerPlatformWhoAmi@2 tasks into the pipeline YAML and using System.AccessToken to populate the PAC_ADO_ID_TOKEN_REQUEST_TOKEN env var, I'm still getting the same error.

When I echo each of these variables in Bash, here's what I get:

PAC_ADO_ID_TOKEN_REQUEST_TOKEN: ***
PAC_ADO_ID_TOKEN_REQUEST_URL: $(PAC_ADO_ID_TOKEN_REQUEST_URL)

This tells me that the token is probably being set correctly now, since it's being obfuscated, and that the URL is definitely not being set. So, with the resourceId in hand, I manually built the URL similar to how it was done in getCredential.ts and I can confirm that this solves my issue.

Thank you so much!

[devkeydet]

Thanks @richardcarrigan! Here is a working example for others to follow / adapt.

trigger: none
pool:
  vmImage: ubuntu-latest
variables:
  BuildTools.EnvironmentUrl: "YOUR-URL"
steps:
- task: PowerPlatformToolInstaller@2
  inputs:
    DefaultVersion: true
    AddToolsToPath: true
- task: PowerPlatformWhoAmi@2
  inputs:
    authenticationType: 'PowerPlatformSPN'
    PowerPlatformSPN: 'YOU-SVC-CONN-NAME'
- task: PowerShell@2
  env:
    PAC_ADO_ID_TOKEN_REQUEST_TOKEN: $(System.AccessToken)
  inputs:
    targetType: 'inline'
    script: |
      $uri = "$(System.CollectionUri)"
      $projectId = "$(System.TeamProjectId)"
      $hub = "$(System.HostType)"
      $planId = "$(System.PlanId)"
      $jobId = "$(System.JobId)"
      $serviceConnectionId = "YOUR-SVC-CONN-ID"
      $oidcApiVersion = "7.2-preview.1"
      $env:PAC_ADO_ID_TOKEN_REQUEST_URL = "$uri$projectId/_apis/distributedtask/hubs/$hub/plans/$planId/jobs/$jobId/oidctoken?serviceConnectionId=$serviceConnectionId&api-version=$oidcApiVersion"
      $environment = "$(BuildTools.EnvironmentUrl)"

      pac auth create --name devops-temp --environment $environment --azureDevOpsFederated --tenant YOUR-TENANT-ID --applicationId YOUR-APP-ID
    pwsh: true
- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
      pac env who
    pwsh: true
- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
      pac solution list
    pwsh: true

[richardcarrigan]

FWIW, here's the bash version that I went with:

# azure-pipelines.yml

trigger: none
pool:
  vmImage: windows-latest
stages:
  - stage: UAT_Deploy
    jobs:
      - deployment: DeployToUAT
        displayName: Deploy Power Platform solutions to UAT
        environment: 'uat' # creates an environment if it doesn't exist
        strategy:
          runOnce:
            deploy:
              steps:
                - checkout: self
                - task: NuGetAuthenticate@1
                  inputs:
                    forceReinstallCredentialProvider: false
                - task: CmdLine@2
                  displayName: Install Power Platform CLI
                  inputs:
                    script: |
                      dotnet tool install --global Microsoft.PowerApps.CLI.Tool
                - task: PowerPlatformToolInstaller@2
                  inputs:
                    DefaultVersion: true
                - task: PowerPlatformWhoAmi@2
                  inputs:
                    authenticationType: 'PowerPlatformSPN'
                    PowerPlatformSPN: 'uatserviceconnection'
                    Environment: '$(UAT_URL)'
                - task: Bash@3
                  displayName: Deploy solutions
                  inputs:
                    filePath: 'deploySolutions.sh'
                  env:
                    url: $(UAT_URL)
                    envName: $(UAT_ENV_NAME)
                    applicationId: $(UAT_CLIENT_ID)
                    tenant: $(TENANT)
                    PAC_ADO_ID_TOKEN_REQUEST_TOKEN: $(System.AccessToken)
                    PAC_ADO_ID_TOKEN_REQUEST_URL: '$(System.CollectionUri)$(System.TeamProjectId)/_apis/distributedtask/hubs/$(System.HostType)/plans/$(System.PlanId)/jobs/$(System.JobId)/oidctoken?serviceConnectionId=$(SERVICE_CONNECTION_ID)&api-version=7.2-preview.1'

# deploySolutions.sh

pac auth create --url $url --name $envName --applicationId $applicationId --tenant $tenant --azureDevOpsFederated