This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.25k
stars
4.59k
forks
source link
[FEATURE REQ] Support for Azure DevOps Workload Identity #45580
Currently, the DefaultAzureCredential supports the following credential types:
EnvironmentCredential
WorkloadIdentityCredential (Kubernetes)
ManagedIdentityCredential
SharedTokenCacheCredential
VisualStudioCredential
VisualStudioCodeCredential
AzureCliCredential
AzurePowerShellCredential
AzureDeveloperCliCredential
InteractiveBrowserCredential
Since somewhere in October '23 we have Azure DevOps Pipeline with Workload Identity federation which allows us defining Service Connections without secrets/certificates significantly improving overall security of our environments.
The AzurePowerShell tasks supports the Pipeline Workload Identity which allows us building pipelines that deploy Azure resources within the context of this identity.
Connecting to other Azure AD-secured endpoints, however, requires retrieving the access token:
Get-AzAccessToken -ResourceUrl -"https://$(tenantName).sharepoint.com"
and using it when connecting to a new endpoint, e.g.
Connect-PnPOnline -Url "https://$(tenantName).sharepoint.com/sites/$(siteName)" -AccessToken $azAccessToken.Token -ReturnConnection
Could you add the Pipeline Workload Identity to the supported credential types? It would streamline things a lot =)
thx for considering
Library name
Azure.Identity
Please describe the feature.
Currently, the
DefaultAzureCredential
supports the following credential types:Since somewhere in October '23 we have Azure DevOps Pipeline with Workload Identity federation which allows us defining Service Connections without secrets/certificates significantly improving overall security of our environments.
The
AzurePowerShell
tasks supports the Pipeline Workload Identity which allows us building pipelines that deploy Azure resources within the context of this identity. Connecting to other Azure AD-secured endpoints, however, requires retrieving the access token:Get-AzAccessToken -ResourceUrl -"https://$(tenantName).sharepoint.com"
and using it when connecting to a new endpoint, e.g.Connect-PnPOnline -Url "https://$(tenantName).sharepoint.com/sites/$(siteName)" -AccessToken $azAccessToken.Token -ReturnConnection
Could you add the Pipeline Workload Identity to the supported credential types? It would streamline things a lot =) thx for considering