Using Managed Identity in Azure DevOps Pipeline with Federated Identity
There was an announcement back in September that workload federated identity has finally been introduced to Azure DevOps. If you’re completely new to federated identity on Azure, workload identity federation uses Open ID Connect (OIDC) to simplify the authentication between Azure Pipelines and Azure. Together with managed identity, you can avoid using secrets for authentication, which can help you achieve zero-trust DevOps pipeline.
Setting it up requires very minimal effort which is the main topic for the article. I’ve written many articles around federated identity, managed identity and more, so I will go straight to the implementation.
Set up Managed Identity with Azure DevOps
We will start by creating managed identity. Go to Azure portal and create one quickly.
Federated identity demands three essential information — Issuer URL, Subject identifier and Audience. These are crucial details for exchanging the token generated by Azure DevOps with the Azure Entra ID token, enabling the management of Azure resources. Head to Azure DevOps and create a service connection type “Azure Resource Manager”.
Azure DevOps provides two methods for Workload Identity federation. In this article, we will opt for the manual way, as automatic method defaults to using Service Principal. The next step highlights two crucial details: the Issuer URL and Subject, which are essential for configuring federated identity on Azure.
Before saving it, you should go back to Azure portal and configure federated identity first. It’s under “Federated credentials” menu of managed identity. Add Credential and choose scenario “Other”
Once credential is configured, Go back to Azure DevOps and save the service connection. It will verify the configuration of federated identity and save the connection only if the configuration is set up properly.
Use Pipeline Tasks
There are list of tasks which support federated identity — AzureAppServiceManage, AzureAppServiceSettings, AzureCLI, AzureCloudPowerShellDeployment, AzureContainerApps, AzureFunctionAppContainer, AzureFunctionApp, AzureKeyVault, AzureMonitor, AzureMysqlDeployment, AzurePolicy, AzurePowerShell, AzureResourceGroupDeployment, AzureResourceManagerTemplateDeployment, AzureRmWebAppDeployment, AzureSpringCloud, AzureVmssDeployment, AzureWebAppContainer, AzureWebApp, DockerCompose, Docker, HelmDeploy, InvokeRestApi, JavaToolInstaller, JenkinsDownloadArtifacts, Kubernetes.
I have given ‘Contributor’ role to my managed identity for resource group ‘sandbox-rg’
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger:
- main
pool:
name: "aks-federated-identity"
steps:
- task: AzureCLI@2
inputs:
addSpnToEnvironment: true
azureSubscription: 'ado-pipeline-mi'
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
az group list
az aks get-credentials --resource-group sandbox-rg --name rbac-clusterRun the pipeline.
Wrapping Up
Eliminating PAT usage and incorporating managed identity for Azure Resource Manager will significantly enhance the overall security posture of Azure DevOps which developers don’t want to miss. Before wrapping up this brief article, I’d like to share a link with you all. Azure DevOps regularly updates its features on the Azure DevOps Roadmap page, a valuable resource that I highly recommend Azure DevOps users check regularly.
If you enjoyed my article, I’d appreciate a few claps or a follow. Get notified for the new articles by subscribing, and let’s stay connected on Linkedin. Thank you for your time and happy reading!
