Migrate dnceng insertion token from PAT to WIF (DefaultAzureCredential)#83058
Open
missymessa wants to merge 1 commit intodotnet:mainfrom
Open
Migrate dnceng insertion token from PAT to WIF (DefaultAzureCredential)#83058missymessa wants to merge 1 commit intodotnet:mainfrom
missymessa wants to merge 1 commit intodotnet:mainfrom
Conversation
dotnet-policy-service
bot
added
the
Community
Replace the dn-bot-dnceng-build-e-code-full-release-e-packaging-r PAT with WIF-based authentication via AzureCLI@2 and DefaultAzureCredential for the VS insertion step. The roslyn-tools create-insertion CLI already supports bearer tokens via DefaultAzureCredential fallback: when --dnceng-azdo-token is 'unset', the tool calls DefaultAzureCredential().GetToken() for the AzDO resource and uses VssOAuthAccessTokenCredential. Changes: - eng/pipelines/insert.yml: Replace dncEngAzdoToken parameter with dncEngAzureSubscription; wrap create-insertion in AzureCLI@2 so AzureCliCredential provides the token automatically - azure-pipelines-official.yml: Pass service connection instead of PAT - azure-pipelines-pr-validation.yml: Same Uses the existing 'Darc: Maestro Production' service connection, which is already authorized for this pipeline. Addresses: AB#10097
missymessa
force-pushed
the
missymessa-10097-wif
branch
from
9e07a9a to
8b1b1c4
Compare
Member
Author
|
Hey Roslyn team, let me know how I can best test this change to make sure the new Service Connection works. Thanks! |
Member
|
/pr-val |
Contributor
|
This PR is from an external author. You must specify a commit hash to trigger this workflow. Please use the format |
Contributor
|
Failed to trigger the pipeline. Please check the workflow logs for details. |
Member
|
/pr-val 8b1b1c4 |
Contributor
|
View PR Validation Run triggered by @jjonescz Parameters
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the
dn-bot-dnceng-build-e-code-full-release-e-packaging-rPAT with WIF-based authentication viaAzureCLI@2andDefaultAzureCredentialfor the VS insertion step.Background
As part of the dnceng PAT-to-Entra migration (AB#10097), we're eliminating PAT usage in favor of modern authentication. The
roslyn-tools create-insertionCLI already supports bearer tokens via itsDefaultAzureCredentialfallback — when--dnceng-azdo-tokenisunset, the tool usesDefaultAzureCredential().GetToken()for the AzDO resource and creates aVssOAuthAccessTokenCredential.Changes
eng/pipelines/insert.yml:
dncEngAzdoTokenparameter withdncEngAzureSubscription(service connection name)create-insertionstep from inlinepowershell:totask: AzureCLI@2--dnceng-azdo-token unsetsoDefaultAzureCredential(specificallyAzureCliCredential) acquires the token automaticallyazure-pipelines-official.yml & azure-pipelines-pr-validation.yml:
dncEngAzureSubscription: 'Darc: Maestro Production'instead of the PAT variableHow it works
Inside
AzureCLI@2, the Azure CLI is pre-authenticated via WIF. Whenroslyn-toolssees--dnceng-azdo-token unset, it falls back toDefaultAzureCredentialwhich picks upAzureCliCredentialand callsaz account get-access-token --resource 499b84ac-...to get a bearer token for AzDO.Uses the existing Darc: Maestro Production service connection, already authorized for this pipeline. The SP may need dnceng org permissions for build/code access if not already enrolled.
Testing
This should be validated via a PR validation run that triggers the insert stage. The
create-insertiontool will log whether it's using PAT or OAuth authentication.Microsoft Reviewers: Open in CodeFlow