authentication azure-devops federated-identity azure-text-translation azure-ai-translator

Connect to Azure AI Translator in Azure DevOps Pipelines using Workload Identity Federation

I would like to use the Azure AI Text Translation from an Azure DevOps build pipeline, without having to use any secrets for authentication. I have used Workload Identity Federation for smooth authentication from pipelines before, so if that is possible also for Azure AI Translator that would be great.

I have set up a resource group in Azure Portal with a resource of type 'Translator'. I have also set up a (Azure Resource Manager) service connection in my Azure DevOps project that is referring to that resource group, and I can see that a federated credential was created for me in Microsoft Entra.

Now the next step is usually to set up permissions for the federated credential in Microsoft Entra. For my previous federated credential, I have used "Request API permissions". But there it is not obvious what to select in this case. I could use some guidance on how to set up the permissions to be able to use Text Translation from my pipeline.

Solution

DevOps pipeline is used for CICD process. As per the rest api doc below for translator, you should use the KEY, Region and Web Api not Workload Identity Federation for automation.

Quickstart: Azure AI Translator REST APIs

Translator 3.0: Translate

The yaml sample:

pool:
  vmImage: Windows-latest

steps:
- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
      # Define the paramters to translate a string
          $subscriptionKey = ${env:KEY}
          $region = "eastus"
          $text = "Hello, world!"
          $toLanguage = "fr"
      # Define the function to call the Translator Text API
          function Translate-Text ($subscriptionKey, $region, $text, $toLanguage) {
              $uri = "https://api.cognitive.microsofttranslator.com/translate?api-version=3.0&to=$toLanguage"
              $headers = @{
                  "Ocp-Apim-Subscription-Key" = $subscriptionKey
                  "Ocp-Apim-Subscription-Region" = $region
                  "Content-Type" = "application/json"
              }
              $body = ConvertTo-Json @(@{ Text = $text })
      
              $response = Invoke-RestMethod -Uri $uri -Method Post -Body $body -Headers $headers
              return $response[0].translations[0].text
          }
          $translatedText = Translate-Text -subscriptionKey $subscriptionKey -region $region -text $text -toLanguage $toLanguage
          Write-Output "Translated text: $translatedText"
  env:
    KEY: $(key)

The output, it's translated to fr:

Edit, add for Document translation.

As per the doc Managed identity assignments, Document Translation supports system-assigned managed identity, not identity from Azure Resource Manager service connection.