You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Modify the test.yml pipeline template to add support for workflow identity federation for nightly testing pipelines. We do this by adding two new steps, one dummy keyvault step to connect to the newly-created AzCodeE2ETests service connection for this purpose. The other is a "real" Key Vault step connecting to the AzCodeE2ETestsCredsKV key vault, to obtain the identifiers required to connect to the AzCodeE2ETests service connection and obtain an OIDC token in code. Then, the needed environment variables are manually propagated to the Test step.
Updated the main 1esmain.yml pipeline such that it accepts a useAzureFederatedCredentials parameter, which is passed all the way down to the test.yml template, which includes the relevant key vault steps (and sets the relevant env vars) only if useAzureFederatedCredentials is set to true. I tested this on a few pipelines and confirmed that if useAzureFederatedCredentials is false (the default, basically no change on the client extensions side), the pipeline runs the same test step as before, and without prompting for permissions. If useAzureFederatedCredentials parameter is set to true, that's when the Key Vault steps are included and env vars are propagated, and that's when permissions are prompted. Since this is a template parameter and not a runtime condition, this is figured out at "compile time", no two .yml files needed! @alexweininger Who's the plumber now? 😎
Updated the main 1esmain.yml pipeline such that it accepts a useAzureFederatedCredentials parameter, which is passed all the way down to the test.yml template, which includes the relevant key vault steps (and sets the relevant env vars) only if useAzureFederatedCredentials is set to true. I tested this on a few pipelines and confirmed that if useAzureFederatedCredentials is false (the default, basically no change on the client extensions side), the pipeline runs the same test step as before, and without prompting for permissions. If useAzureFederatedCredentials parameter is set to true, that's when the Key Vault steps are included and env vars are propagated, and that's when permissions are prompted. Since this is a template parameter and not a runtime condition, this is figured out at "compile time", no two .yml files needed!
That is epic, great work.
Who's the plumber now? 😎
I'm happy to hand over my denim overalls and tool box 👷 🪠 🧰
hossam-nasr
changed the title
[azure-pipelines] Add workflow identity federation to the test pipeline template
azure-pipelines: Add workflow identity federation to the test pipeline template
May 14, 2024
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
hossam-nasr
changed the title
Modify the
test.ymlpipeline template to add support for workflow identity federation for nightly testing pipelines. We do this by adding two new steps, one dummy keyvault step to connect to the newly-createdAzCodeE2ETestsservice connection for this purpose. The other is a "real" Key Vault step connecting to theAzCodeE2ETestsCredsKVkey vault, to obtain the identifiers required to connect to theAzCodeE2ETestsservice connection and obtain an OIDC token in code. Then, the needed environment variables are manually propagated to theTeststep.