search

microsoft / azure-pipelines-tasks

Tasks for Azure Pipelines
https://aka.ms/tfbuild
MIT License
3.42k stars 2.58k forks source link

[Question]: Use Workload Identity federation identity in maven task #19649

Open sonwan2020 opened 3 months ago

sonwan2020 commented 3 months ago

Task name

Maven

Task version

3

Environment type (Please select at least one enviroment where you face this issue)

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Ubuntu

Question

I am running auto test pipelines like https://msazure.visualstudio.com/AzureDMSS/_build?definitionId=150216, and I want to implement secret-less pipelines using service connection.

When I create service connection type "Service Principal" and input the id & secret to build the service connection, from this doc https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/azure-cli-v2?view=azure-pipelines, I can get the servicePrincipalId & servicePrincipalKey & tenantId, and my later maven task can use these variables.

When I create service connection with workload identity federation, when I check the environment varaibles, the variable servicePrincipalKey is empty and alternatively I get a idToken.
My question is, how can I use servicePrincipalId & idToken & tenantId variables in my java code?

I tried some *CredentialBuilder, the WorkloadIdentityCredentialBuilder() need a tokenFilePath, where can I get that?
`new WorkloadIdentityCredentialBuilder().tokenFilePath().build()`

Any other suggestions?
jiec-msft commented 3 months ago

I also have similar questions:

  1. Reading from this "custom-azure-tasks-and-extensions" section in doc, is there SDK in languages like Java that do the IDToken acquisition, redeem AAD token and access azure resource?
  2. And for the IDToken acquisition doc, is the accessToken still needed in the request to get IDToken?
KonstantinTyukalov commented 3 months ago

Hi @sonwan2020, you can use idToken to get access token for azure resources you need. Please check this blog post section (Custom Azure tasks and extensions).

Hi @jiec-msft, I'm not aware of official Java SDK for such purposes. Here is the of official ADO REST clients: https://learn.microsoft.com/rest/api/azure/devops#client-libraries

And for the IDToken acquisition doc, is the accessToken still needed in the request to get IDToken?

Yes, you'll need accessToken to be able to reach the required endpoint. Reference: https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/oidctoken/create#security