Azure DevOps extension to authenticate with STACKIT cloud platform using either Workload Identity Federation (WIF) or Key Flow (JSON credentials). This extension provides a secure service connection type and an authentication task that sets up environment variables and can perform CLI login when explicitly enabled.
- ✅ Service Connection Type: Secure credential storage for STACKIT authentication
- ✅ WIF Authentication: Workload Identity Federation - minimal setup, just provide service account name
- ✅ OIDC Token Exchange: Automatic Azure DevOps OIDC token → STACKIT access token conversion
- ✅ Environment Setup: Sets required environment variables for STACKIT SDK
- ✅ Secret Masking: Access tokens masked in pipeline logs
- ✅ Linux Support: Task runs on Linux agents only
When creating a STACKIT service connection, you must provide exactly one authentication method:
| Method | Field | When to Use | What to Provide |
|---|---|---|---|
| WIF | Service Account Name | Recommended for Azure DevOps environments with federated identity setup | The STACKIT service account name (e.g., my-terraform-account) |
| Key Flow | Service Account Credentials (JSON) | For local development or where WIF is unavailable | Full JSON file contents from STACKIT service account |
- ✅ Do this: Fill EITHER the Service Account Name field OR the Credentials JSON field
- ❌ Don't do this: Leave both fields empty
- ❌ Don't do this: Fill both fields with values
If you misconfigure the connection (empty or both filled), the stackit-authenticate task will fail with a clear error message telling you which field to fix.
-
Install from Marketplace (when published):
- Visit Azure DevOps Marketplace
- Click "Get it free"
- Select your Azure DevOps organization
-
Local Development Install (VSIX):
- Download the VSIX file from Releases
- Go to
https://dev.azure.com/{organization}/_settings/extensions - Click "Upload extension"
- Select the VSIX file
-
Clone and Setup:
git clone https://github.com/stackitcloud/azure-devops-stackit-service-connection-extension.git cd azure-devops-stackit-service-connection-extension npm install -
Build:
npm run build
-
Test:
npm test -
Package:
npm run package
- In Azure DevOps, go to Project Settings → Service connections
- Click New service connection → STACKIT
- Choose WIF authentication scheme
- Enter:
- Service Account Name: Name of your STACKIT service account
- Test the connection
- Save
- In Azure DevOps, go to Project Settings → Service connections
- Click New service connection → STACKIT
- Choose Generic authentication scheme
- Paste the full JSON credentials from your STACKIT service account
- Test the connection (optional)
- Save
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: StackitAuthenticate@1
inputs:
serviceConnection: 'My STACKIT Connection (WIF)'
displayName: 'Authenticate with STACKIT (WIF)'
- script: |
echo "Service Account: $STACKIT_SERVICE_ACCOUNT_EMAIL"
displayName: 'Verify STACKIT Authentication'trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: StackitAuthenticate@1
inputs:
serviceConnection: 'My STACKIT Connection (Key Flow)'
displayName: 'Authenticate with STACKIT (Key Flow)'
- script: |
# For Key Flow, credentials are available via STACKIT_SERVICE_ACCOUNT_KEY_PATH
stackit auth activate-service-account
stackit projects list
displayName: 'List STACKIT Projects'| Input | Type | Required | Description |
|---|---|---|---|
serviceConnection |
Service Connection | Yes | STACKIT service connection to use |
| Variable | WIF | Key Flow | Description |
|---|---|---|---|
STACKIT_SERVICE_ACCOUNT_EMAIL |
✅ | ✅ | Service account name (WIF) or email (Key Flow) |
STACKIT_SERVICE_CONNECTION_ID |
✅ | ❌ | Azure DevOps service connection ID (used for OIDC token retrieval) |
STACKIT_SERVICE_ACCOUNT_KEY_PATH |
❌ | ✅ | Path to temporary file with JSON credentials (automatically cleaned up) |
- Azure DevOps Agent with Node.js 20+ (standard on modern agents)
- STACKIT CLI installed on the agent (
stackitcommand available) - For Key Flow: Valid STACKIT service account credentials in JSON format
- For WIF: Configured Workload Identity Federation in STACKIT
See CONTRIBUTING.md for guidelines on:
- Setting up development environment
- Running tests locally
- Submitting pull requests
- Code style and conventions
See SECURITY.md for:
- Reporting security vulnerabilities
- Security considerations
- Data privacy and credential handling
- GitHub account with access to this repository
- Azure DevOps Marketplace Publisher account
- Marketplace Personal Access Token (PAT)
ci.yml: Build, test, package, and upload VSIX artifact on push/PRrelease.yml: Build, test, package, publish (tag/manual), and attach VSIX to GitHub Release
-
Set GitHub Secrets (in repository settings):
MARKETPLACE_PAT: Your Azure DevOps Marketplace Personal Access Token
-
Publish via GitHub Actions (
release.yml):- Push a tag:
git tag v1.0.1 && git push --tags - Or merge to
mainwith version bump invss-extension.json - GitHub Actions will automatically build, test, and publish
- Push a tag:
# Build and package
npm run build
npm run package
# Publish to marketplace
npm run package:publish- Ensure you're using the correct authentication scheme (WIF vs Key Flow)
- For Key Flow: validate JSON format is correct (copy directly from STACKIT UI)
- Check that STACKIT API URL is reachable
- Ensure STACKIT CLI (
stackitcommand) is installed on the agent - Add CLI installation step before authentication task if needed
- Verify the task ran successfully (check logs)
- Use explicit environment variable reference in YAML if needed:
- task: StackitAuthenticate@1 name: StackitAuth - script: echo $(STACKIT_SERVICE_ACCOUNT_EMAIL)
For issues, feature requests, or questions:
- GitHub Issues: Report an issue
- Documentation: GitHub Wiki