runner-images icon indicating copy to clipboard operation
runner-images copied to clipboard
verified publisher icon actions

Microsoft Entra Workload ID not supported (update packer plugin)

Open donk-msft opened this issue 1 year ago • 2 comments

Description

Issue based on suggestion from Januari 2024 to solicit a response from team.

Lack of support for Microsoft Entra Workload ID is blocking conversion of our service connections.

Platforms affected

  • [X] Azure DevOps
  • [ ] GitHub Actions - Standard Runners
  • [ ] GitHub Actions - Larger Runners

Runner images affected

  • [X] Ubuntu 20.04
  • [X] Ubuntu 22.04
  • [X] Ubuntu 24.04
  • [ ] macOS 12
  • [ ] macOS 13
  • [ ] macOS 13 Arm64
  • [ ] macOS 14
  • [ ] macOS 14 Arm64
  • [X] Windows Server 2019
  • [X] Windows Server 2022

Image version and build link

20240901.1.0

Is it regression?

No

Expected behavior

GenerateResourcesAndImage.ps1 runs successfully when used in a pipeline within the context of a WIF based service connection.

Actual behavior

image

Pipeline fails with following error: ==> Some builds didn't complete successfully and had errors: --> azure-arm.build_image: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '***'.

Repro steps

  1. Create working pipeline based on service connection (SPN/Secret)
  2. Modify pipeline to use service connection based on WIF

donk-msft avatar Sep 06 '24 08:09 donk-msft

@donk-msft Thank you for bringing this issue to us. We are looking into this issue and will update you on this issue after investigating.

RaviAkshintala avatar Sep 06 '24 08:09 RaviAkshintala

Setting the use_azure_cli_auth option for the Azure ARM builder to true would simplify the authentication quite a bit. Running packer build from within an authenticated Azure CLI session would simply work without specifying any additional auth-related parameters.

v1adev avatar Sep 11 '24 16:09 v1adev

Hi @donk-msft - This feature has been implemented. thank you !

kishorekumar-anchala avatar Feb 14 '25 03:02 kishorekumar-anchala

@kishorekumar-anchala I don't believe this solved the original issue with using workload identity federation from Azure Pipelines since it's not the same as using managed identities: https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-using-workload-identity-federation

v1adev avatar Feb 14 '25 19:02 v1adev