azapi authentication failed when resource depends on a terraform creation that takes more than 10 minutes

[gbordier]

When using AzureCLI task in Azure Devops, when azapi resource creation is chained with other terraform resources that take a long time to create, the original short lived OIDC token (10 min) that is generated by the task is expired and cannot be exchanged with an entra id access token.

Ideally azapi should re-use the access token azurerm uses. other workaround would be to split the pipeline or use another form of authentication .

[stemaMSFT]

@ms-henglu do we have a way of renewing the access token? If not we should definitely make sure to get that fixed for long running operations.

[jaredfholgate]

@stemaMSFT and @ms-henglu The Go SDK now has a token refresh facility that you can leverage if in the scope of Azure DevOps: https://devblogs.microsoft.com/azure-sdk/improve-security-posture-in-azure-service-connections-with-azurepipelinescredential/

[pho-enix]

We just migrated all our Azure DevOps pipelines to use federated authentication. If we now would have to recreate an environment (taking > 10min) we will be in trouble. So I want to highlight this has real operational impact. Timely fix would be so much appreciated.

[ms-henglu]

Hi all,

Thanks @jaredfholgate , the solution mentioned in below link has been supported in the azapi provider, more details please see https://registry.terraform.io/providers/Azure/azapi/latest/docs/guides/service_principal_oidc#configuring-the-service-principal-in-terraform

The Go SDK now has a token refresh facility that you can leverage if in the scope of Azure DevOps: https://devblogs.microsoft.com/azure-sdk/improve-security-posture-in-azure-service-connections-with-azurepipelinescredential/

I'll close this issue as it's completed, but feel free to reopen it if there's any questions.