azureazure-devopsazure-web-app-servicefederated-identityazure-service-principal

How to login via Service Principal having Federated Credentials rather than Client Secrets


Due to recent push to remove Entra App secrets from Azure and adopt usage of Workload Identity Federation in service connections, I have removed the client secret from service principal and added Federated Credentials into it.

How do I login into Azure via this service principal?

Earlier this login was happening via the below mentioned code:

Write-Host Object Id = $objectId
    $key = ConvertTo-SecureString -String  $env:servicePrincipalKey -AsPlainText -Force
    $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:servicePrincipalId, $key
    Connect-AzAccount -ServicePrincipal -TenantId $env:tenantId -Credential $Credential

I tried many documents but could not find anything acceptable. Seeking help.

Is there any other way I can achieve this via pipeline. I have a release pipeline which uses service connection based on Workload Identity Federation (automatic). The Service Principal made out of this step has federated credentials. In the next step in my pipeline, I am using a powershell script which has this login step.

enter image description here

This is my service principal with Federated Creds: enter image description here


Solution

  • In the pipeline you can try like as below:

    1. Add an Azure CLI task and enable the option addSpnToEnvironment (Access service principal details in script) on the task. This option will provide the variables to let you get the login credentials.

      enter image description here

      You can run the following command on the task to pass the login credentials as pipeline variables so that the subsequent steps within the same job can use the credentials.

      echo "##vso[task.setvariable variable=SP_CLIENT_ID]$servicePrincipalId" 
      echo "##vso[task.setvariable variable=SP_ID_TOEKN]$idToken"
      echo "##vso[task.setvariable variable=TENANT_ID]$tenantId"
      
    2. Then in the subsequent steps, you can use the Azure CLI command "az login --service-principal" or Azure PowerShell cmdlet "Connect-AzAccount -ServicePrincipal" to login Azure With the credentials fetched above.

      az login --service-principal --tenant $(TENANT_ID) -u $(SP_CLIENT_ID) --federated-token $(SP_ID_TOEKN) --allow-no-subscriptions
      
      Connect-AzAccount -ServicePrincipal -Tenant $(TENANT_ID) -ApplicationId $(SP_CLIENT_ID) -FederatedToken $(SP_ID_TOEKN) -Environment AzureCloud -Scope Process
      

    Below is a sample of pipeline as reference.

        steps:
        - task: AzureCLI@2
          displayName: 'Get login Credentials'
          inputs:
            addSpnToEnvironment: true
            azureSubscription: MyArmConnection
            scriptType: bash
            scriptLocation: inlineScript
            inlineScript: |
              echo "##vso[task.setvariable variable=SP_CLIENT_ID]$servicePrincipalId" 
              echo "##vso[task.setvariable variable=SP_ID_TOEKN]$idToken"
              echo "##vso[task.setvariable variable=TENANT_ID]$tenantId"
        
        - bash: az login --service-principal --tenant $(TENANT_ID) -u $(SP_CLIENT_ID) --federated-token $(SP_ID_TOEKN) --allow-no-subscriptions
          displayName: 'Login Azure using az login'
        
        - pwsh: Connect-AzAccount -ServicePrincipal -Tenant $(TENANT_ID) -ApplicationId $(SP_CLIENT_ID) -FederatedToken $(SP_ID_TOEKN) -Environment AzureCloud -Scope Process
          displayName: 'Login Azure using Connect-AzAccount'