authenticationazure-devopsfederated-identityazure-text-translationazure-ai-translator

Connect to Azure AI Translator in Azure DevOps Pipelines using Workload Identity Federation


I would like to use the Azure AI Text Translation from an Azure DevOps build pipeline, without having to use any secrets for authentication. I have used Workload Identity Federation for smooth authentication from pipelines before, so if that is possible also for Azure AI Translator that would be great.

I have set up a resource group in Azure Portal with a resource of type 'Translator'. I have also set up a (Azure Resource Manager) service connection in my Azure DevOps project that is referring to that resource group, and I can see that a federated credential was created for me in Microsoft Entra.

Now the next step is usually to set up permissions for the federated credential in Microsoft Entra. For my previous federated credential, I have used "Request API permissions". But there it is not obvious what to select in this case. I could use some guidance on how to set up the permissions to be able to use Text Translation from my pipeline.


Solution

  • DevOps pipeline is used for CICD process. As per the rest api doc below for translator, you should use the KEY, Region and Web Api not Workload Identity Federation for automation.

    Quickstart: Azure AI Translator REST APIs

    Translator 3.0: Translate

    enter image description here

    The yaml sample:

    pool:
      vmImage: Windows-latest
    
    steps:
    - task: PowerShell@2
      inputs:
        targetType: 'inline'
        script: |
          # Define the paramters to translate a string
              $subscriptionKey = ${env:KEY}
              $region = "eastus"
              $text = "Hello, world!"
              $toLanguage = "fr"
          # Define the function to call the Translator Text API
              function Translate-Text ($subscriptionKey, $region, $text, $toLanguage) {
                  $uri = "https://api.cognitive.microsofttranslator.com/translate?api-version=3.0&to=$toLanguage"
                  $headers = @{
                      "Ocp-Apim-Subscription-Key" = $subscriptionKey
                      "Ocp-Apim-Subscription-Region" = $region
                      "Content-Type" = "application/json"
                  }
                  $body = ConvertTo-Json @(@{ Text = $text })
          
                  $response = Invoke-RestMethod -Uri $uri -Method Post -Body $body -Headers $headers
                  return $response[0].translations[0].text
              }
              $translatedText = Translate-Text -subscriptionKey $subscriptionKey -region $region -text $text -toLanguage $toLanguage
              Write-Output "Translated text: $translatedText"
      env:
        KEY: $(key)
    

    The output, it's translated to fr:

    enter image description here

    Edit, add for Document translation.

    As per the doc Managed identity assignments, Document Translation supports system-assigned managed identity, not identity from Azure Resource Manager service connection.

    enter image description here