Skip to content

PoC: Federated SPN Credentials #835

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
May 8, 2024
Merged

PoC: Federated SPN Credentials #835

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0175c57
rebased
tehcrashxor Apr 26, 2024
d16fe7c
Add ADO Workload Identity Federation support
tehcrashxor Apr 26, 2024
e80722c
rebased
tehcrashxor Apr 26, 2024
344b75b
Rename connection type to match AzureRM's pattern; mark as Preview
tehcrashxor May 8, 2024
d90528d
Merge branch 'main' into users/tehcrash/2404/AdoSpnFederation
tehcrashxor May 8, 2024
c0b875d
Update release notes
tehcrashxor May 8, 2024
9d56861
Update PAC to 1.32.2 for internal testing; actual release may use a h…
tehcrashxor May 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions extension/overview.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,14 @@ Please use the issues tracker in the home repo: <https://github.com/microsoft/po
# Release Notes

{{NextReleaseVersion}}:
- (Preview) The Power Platform Service Connection now supports Workload Identity federation, enabling Service Principals or Managed Identities to authenticate without a Client Secret when configured with Federated Credentials in the Azure Portal.
- Power Platform Tool Installer task can now optionally prepend PAC CLI to the System PATH
- Power Platform Import Data task can now specify the connection count
- Power Platform Create Environment task can now set the Security Group ID for created environments
- Power Platform Create Environment task can now create Developer type environments
- pac CLI 1.32, [Release Notes on nuget.org](https://www.nuget.org/packages/Microsoft.PowerApps.CLI)

2.0.63:
- pac CLI 1.31.6, [Release Notes on nuget.org](https://www.nuget.org/packages/Microsoft.PowerApps.CLI)

2.0.52:
Expand Down
5 changes: 5 additions & 0 deletions extension/service-connections.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@
}
}
]
},
{
"type": "ms.vss-endpoint.endpoint-auth-scheme-workload-identity-federation",
"displayName": "Workload Identity federation (preview)",
"inputDescriptors": []
}
]
}
Expand Down
18 changes: 9 additions & 9 deletions nuget.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,27 +4,27 @@
"name": "nuget.org",
"url": "https://api.nuget.org/v3-flatcontainer/",
"authenticated": false,
"packages": []
},
{
"name": "CAP_ISVExp_Tools_Stable",
"url": "https://pkgs.dev.azure.com/msazure/_packaging/b0441cf8-0bc8-4fad-b126-841a6184e784/nuget/v3/flat2/",
"authenticated": true,
"patEnvironmentVariable": "AZ_DevOps_Read_PAT",
"packages": [
{
"name": "Microsoft.PowerApps.CLI",
"version": "1.31.6",
"version": "1.32.2",
"internalName": "pac"
},
{
"name": "Microsoft.PowerApps.CLI.Core.linux-x64",
"version": "1.31.6",
"version": "1.32.2",
"internalName": "pac_linux",
"chmod": "tools/pac"
}
]
},
{
"name": "CAP_ISVExp_Tools_Stable",
"url": "https://pkgs.dev.azure.com/msazure/_packaging/b0441cf8-0bc8-4fad-b126-841a6184e784/nuget/v3/flat2/",
"authenticated": true,
"patEnvironmentVariable": "AZ_DevOps_Read_PAT",
"packages": []
},
{
"name": "CAP_ISVExp_Tools_Daily",
"url": "https://pkgs.dev.azure.com/msazure/_packaging/d3fb5788-d047-47f9-9aba-76890f5cecf0/nuget/v3/flat2/",
Expand Down
51 changes: 48 additions & 3 deletions src/params/auth/getCredentials.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.

import * as tl from 'azure-pipelines-task-lib/task';
import { URL } from 'url';
import { ClientCredentials, UsernamePassword } from "@microsoft/powerplatform-cli-wrapper";
import { UsernamePassword, AuthCredentials } from "@microsoft/powerplatform-cli-wrapper";
import { EndpointAuthorization, getEndpointAuthorization, getEndpointUrl } from "azure-pipelines-task-lib";
import { getAuthenticationType, AuthenticationType } from "./getAuthenticationType";
import { getEndpointName } from "./getEndpointName";


export function getCredentials(defaultAuthType?: AuthenticationType): ClientCredentials | UsernamePassword {
export function getCredentials(defaultAuthType?: AuthenticationType): AuthCredentials {
const authenticationType = getAuthenticationType(defaultAuthType);
switch (authenticationType) {
case "PowerPlatformEnvironment":
Expand All @@ -18,9 +19,35 @@ export function getCredentials(defaultAuthType?: AuthenticationType): ClientCred
}
}

function getClientCredentials(): ClientCredentials {
function getClientCredentials(): AuthCredentials {
const endpointName = getEndpointName("PowerPlatformSPN");
const authorization = getEndpointAuthorizationParameters(endpointName);

tl.debug("Auth Scheme: " + authorization.scheme);

if (authorization.scheme === "WorkloadIdentityFederation") {
// Set environment variables for Workload Identity Federation
tl.debug('Acquiring Workload Identity Federation details from pipeline service connection');
process.env.PAC_ADO_ID_TOKEN_REQUEST_URL = buildIdTokenRequestUrl();

const pipelineAuth = tl.getEndpointAuthorization('SYSTEMVSSCONNECTION', false);
if (pipelineAuth && pipelineAuth.scheme === 'OAuth') {
tl.debug('Pipeline connection found with OAuth scheme');
process.env.PAC_ADO_ID_TOKEN_REQUEST_TOKEN = pipelineAuth.parameters['AccessToken'];
tl.setSecret(process.env.PAC_ADO_ID_TOKEN_REQUEST_TOKEN); // Mask in logs, though that *should* already be done.
} else {
tl.warning('Could not find pipeline connection details. Workload Identity Federation may not work as expected.');
}

return {
tenantId: authorization.parameters.tenantid,
appId: authorization.parameters.serviceprincipalid,
cloudInstance: resolveCloudInstance(endpointName),
scheme: authorization.scheme,
federationProvider: "AzureDevOps"
};
}

return {
tenantId: authorization.parameters.tenantId,
appId: authorization.parameters.applicationId,
Expand All @@ -31,6 +58,24 @@ function getClientCredentials(): ClientCredentials {
};
}

// Docs: https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/oidctoken/create?view=azure-devops-rest-7.2
function buildIdTokenRequestUrl(): string {
const oidcApiVersion = '7.2-preview.1';
const projectId = tl.getVariable('System.TeamProjectId');
const hub = tl.getVariable("System.HostType");
const planId = tl.getVariable('System.PlanId');
const jobId = tl.getVariable('System.JobId');
const serviceConnectionId = tl.getInput("PowerPlatformSPN", true);
let uri = tl.getVariable("System.CollectionUri");
if (!uri) {
uri = tl.getVariable("System.TeamFoundationServerUri");
}

const tokenRequestUrl = `${uri}${projectId}/_apis/distributedtask/hubs/${hub}/plans/${planId}/jobs/${jobId}/oidctoken?serviceConnectionId=${serviceConnectionId}&api-version=${oidcApiVersion}`;
tl.debug(`OIDC Token Request URL: ${tokenRequestUrl}`);
return tokenRequestUrl;
}

function getUsernamePassword(): UsernamePassword {
const endpointName = getEndpointName("PowerPlatformEnvironment");
const authorization = getEndpointAuthorizationParameters(endpointName);
Expand Down
Loading