Support for ARM Service Connection with Workload identity federation

[TechWatching]

Is your feature request related to a problem? Please describe. When running Pulumi Azure Pipelines tasks, I want to use ARM Service Connection with Workload identity federation. The public preview of Workload identity federation for Azure Pipelines has been recently announced by Microsoft with Terrafoms tasks already having support for that. I want the same experience when using Pulumi tasks.

Describe the solution you'd like Be able to select ARM Service Connection with Workload identity federation so that the pulumi tasks continue working without needed secrets in the service principal associated with the service connections.

Describe alternatives you've considered I have considered not using Pulumi tasks and try to run manually pulumi CLI in an Azure CLI task that would retrieve the Azure token. But that's only a workaround, I would rather use Pulumi tasks.

Additional context N/A

[moredatapls]

We ran into this very limitation after switching to the federated credentials. It manifests as the following error in the pipelines:

##[error]Error: Endpoint auth data not present: <the guid of your service connection>

The problem is that this line is trying to resolve the service principal key (=client secret), which obviously doesn't exist anymore: https://github.com/pulumi/pulumi-az-pipelines-task/blob/39d15080eebe21709c75ad1f4f718d70698471ce/buildAndReleaseTask/serviceEndpoint.ts#L29

It then crashes in the azure-pipelines-task-lib here with the error I posted above.

I would also really like to use the Pulumi tasks together with the workload identity federation, it would be really nice to see support for this soon.

[swimmesberger]

Whats the ETA for this?

[Isenr]

I've opened PR #153 to add support for workload identity federation based on implementation in the Azure CLI Task V2.

I tested in my Azure DevOps organisation with a new Pulumi project created using the Azure C# template which successfully deployed in pipeline run 20240505.12.

Hopefully a maintainer can review it soon.

[af-vijay]

Any plan for when this will be generally available?

[imdex-brett-debeer]

@af-vijay the change from PR #153 was included in release Version 1.1.4.

[af-vijay]

When I tried the latest version 2 weeks ago it was not working. Are you sure it is working for you?

[joohano]

With version 1.1.4 I get a new error message, building AzureRM Client: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account..

Anyone else experiencing this?

[imdex-brett-debeer]

When I tried the latest version 2 weeks ago it was not working. Are you sure it is working for you?

We've run hundreds of deployments that worked over the past couple of months, @af-vijay. Apologies for the very delayed response.