WIF token usage - Githubissues

microsoft / azure-pipelines-terraform

Azure Pipelines tasks for installing Terraform and running Terraform commands in a build or release pipeline.

MIT License

95 stars 59 forks source link

WIF token usage #219

Closed User7845 closed 2 months ago

User7845 commented 2 months ago

Hi, i have setup the azure devops service connections with Workload Identity Federation (WIF).

i am trying to authenticate the kubernetes terraform provider with this identity using kubelogin: kubelogin get-token --login workloadidentity --federated-token-file in the exec plugin

Is it possible the Terraform Task adds the idToken to a file which can be used to authenticate within the terraform providers? Or is there an other way to authenticate terraform providers through WIF service connections?

kubelogin source

jaredfholgate commented 2 months ago

Hi @User7845

If you need the id token, you can use the Azure CLI task: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/azure-cli-v2?view=azure-pipelines

If you set addSpnToEnvironment to true it will output the ID Token to an environment variable called idToken that you can then use to populate your file.

Example here: https://github.com/Azure/alz-terraform-accelerator/blob/425bfa229e599eb31a3e876bea5d5299a8cc0cd3/templates/ci_cd/azuredevops/templates/helpers/terraform-plan.yaml#L19C29-L19C36

User7845 commented 2 months ago

HI @jaredfholgate , thanks for your response, was hoping the terraform task would provide something which makes it easier to authenticate the providers using the WIF token. Ill add an extra step to add the id to a file, thanks!