This guide describes how to set up your Azure DevOps (ADO) and Azure environment to leverage workflow identity federation, enabling you to use
AzureDevOpsSubscriptionProvider provided in this section. See the README for more details.
Create a new ADO service connection under your organization's project. In this example, we create it under the DevDiv project:
-
Navigate to the organization's (DevDiv) ADO page
-
Navigate to the settings page by clicking on the gear icon on the bottom left
-
Select the "Service connections" blade from the panel on the left
-
Create a new service connection by clicking on the
New service connectionbutton in the top right -
Select
Azure Resource Manageras the type and clickNext -
Select
App registration (automatic)for the identity type, andWorkload identity federationfor the credential
- Select
Subscriptionas the scope level - Choose the subscription you want to give access to. Do not choose a resource group unless you want to scope access only to that group.
- Name the service connection and add a description if needed.
- Click on
Save. This will create a new service connection. - Click the new service connection to open it. Make note of four things that you will need:
- The service connection name, that you just gave it.
- The service connection ID. Visible at the top and as the
resourceIdquery parameter in the URL. - The tenant ID of the issuer. Visible in the Issuer field as the GUID in the URL. This is the same tenant ID as the owner of the subscription you chose above.
- The service principal ID. Click
Manage App registrationto open the app in the Azure Portal, and copy theApplication (client) ID.
-
On the Azure Portal, navigate to the page for the subscription you want the service principal to have access to.
-
Navigate to the
Access control (IAM)blade
-
Navigate to the
Rolestab -
Click on the
+ Addbutton, and chooseAdd role assignment
- Choose the role required by your scenario and click
Next - Choose
User, group, or service principal, then click on+ Select members
- Select your service principal from step 1
- Click on
Review and assignto submit - Repeat steps 4-8 as needed for other roles
The constructor for AzureDevOpsSubscriptionProvider expects three arguments in an initializer object in order to identify your service connection you setup in step 1.
These are:
serviceConnectionId: The resource ID of the service connectiontenantId: TheTenant IDfield of the service connectionclientId: TheService Principal Idfield of the service connection
Make sure you pass an object containing these variables for the new AzureDevOpsServiceProvider() constructor. These values are not secrets, so they can be set as environment variables, assigned as pipeline variables in ADO, or even manually hardcoded in code (not recommended).
- Again on the Service Connection properties page, click the three-dots button and click Security.
- In the
Pipeline permissionssection, add any pipeline(s) that need permission to use this service connection.
-
A "dummy" step needs to exist in order for the pipeline to use the service connection. An easy example follows:
- task: AzureCLI@2 displayName: "Verify service connection" inputs: azureSubscription: MyServiceConnectionName scriptType: 'pscore' scriptLocation: 'inlineScript' inlineScript: | Write-Host "Service connection is accessible" az account show condition: succeeded() env: SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-
In any steps requiring this provider, set the
SYSTEM_ACCESSTOKENenvironment variable to the$(System.AccessToken)build variable. As needed, also pass in service connection ID, service principal ID, and tenant ID.- task: Npm@1 displayName: "Test" inputs: command: custom customCommand: test env: SYSTEM_ACCESSTOKEN: $(System.AccessToken) SERVICE_CONNECTION_ID: $(ServiceConnectionId) SERVICE_PRINCIPAL_ID: $(ServicePrincipalId) TENANT_ID: $(TenantId)