pulumi-az-pipelines-task icon indicating copy to clipboard operation
pulumi-az-pipelines-task copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Support for ARM Service Connection with Workload identity federation

Open TechWatching opened this issue 2 years ago • 9 comments
trafficstars

Is your feature request related to a problem? Please describe. When running Pulumi Azure Pipelines tasks, I want to use ARM Service Connection with Workload identity federation. The public preview of Workload identity federation for Azure Pipelines has been recently announced by Microsoft with Terrafoms tasks already having support for that. I want the same experience when using Pulumi tasks.

Describe the solution you'd like Be able to select ARM Service Connection with Workload identity federation so that the pulumi tasks continue working without needed secrets in the service principal associated with the service connections.

Describe alternatives you've considered I have considered not using Pulumi tasks and try to run manually pulumi CLI in an Azure CLI task that would retrieve the Azure token. But that's only a workaround, I would rather use Pulumi tasks.

Additional context N/A

TechWatching avatar Sep 21 '23 12:09 TechWatching

We ran into this very limitation after switching to the federated credentials. It manifests as the following error in the pipelines:

##[error]Error: Endpoint auth data not present: <the guid of your service connection>

The problem is that this line is trying to resolve the service principal key (=client secret), which obviously doesn't exist anymore: https://github.com/pulumi/pulumi-az-pipelines-task/blob/39d15080eebe21709c75ad1f4f718d70698471ce/buildAndReleaseTask/serviceEndpoint.ts#L29

It then crashes in the azure-pipelines-task-lib here with the error I posted above.

I would also really like to use the Pulumi tasks together with the workload identity federation, it would be really nice to see support for this soon.

moredatapls avatar Nov 13 '23 16:11 moredatapls

Whats the ETA for this?

swimmesberger avatar Apr 29 '24 10:04 swimmesberger

I've opened PR #153 to add support for workload identity federation based on implementation in the Azure CLI Task V2.

I tested in my Azure DevOps organisation with a new Pulumi project created using the Azure C# template which successfully deployed in pipeline run 20240505.12.

Hopefully a maintainer can review it soon.

Isenr avatar May 05 '24 07:05 Isenr

Any plan for when this will be generally available?

af-vjp avatar Jul 01 '24 14:07 af-vjp

@af-vijay the change from PR #153 was included in release Version 1.1.4.

imdex-brett-debeer avatar Jul 15 '24 03:07 imdex-brett-debeer

When I tried the latest version 2 weeks ago it was not working. Are you sure it is working for you?

af-vjp avatar Jul 15 '24 14:07 af-vjp

With version 1.1.4 I get a new error message, building AzureRM Client: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account..

Anyone else experiencing this?

joohano avatar Sep 09 '24 06:09 joohano

When I tried the latest version 2 weeks ago it was not working. Are you sure it is working for you?

We've run hundreds of deployments that worked over the past couple of months, @af-vijay. Apologies for the very delayed response.

imdex-brett-debeer avatar Sep 09 '24 07:09 imdex-brett-debeer