Azure · ellismg · Nov 6, 2024 · Sep 18, 2024
@@ -1,5 +1,6 @@
 AADSTS
 ABRT
+ACCESSTOKEN
 aiomysql
 aiopg
 alphafeatures
@@ -50,6 +51,7 @@ AZURECLI
 azureedge
 azureml
 azurestaticapps
+AZURESUBSCRIPTION
 azuretools
 azureutil
 azureyaml

@@ -34,6 +34,25 @@ import (
 // The parent of the login command.
 const loginCmdParentAnnotation = "loginCmdParent"
 
+// azurePipelinesClientIDEnvVarName is the name of the environment variable that contains the client ID for the principal
+// to use when authenticating with Azure Pipelines via OIDC. It is set by both the AzureCLI@2 and AzurePowerShell@5 tasks
+// when using a service connection or can be set manually when not using these tasks.
+const azurePipelinesClientIDEnvVarName = "AZURESUBSCRIPTION_CLIENT_ID"
+
+// azurePipelinesTenantIDEnvVarName is the name of the environment variable that contains the tenant ID for the principal
+// to use when authenticating with Azure Pipelines via OIDC. It is set by both the AzureCLI@2 and AzurePowerShell@5 tasks
+// when using a service connection or can be set manually when not using these tasks.
+const azurePipelinesTenantIDEnvVarName = "AZURESUBSCRIPTION_TENANT_ID"
+
+// AzurePipelinesServiceConnectionNameEnvVarName is the name of the environment variable that contains the name of the
+// service connection to use when authenticating with Azure Pipelines via OIDC. It is set by both the AzureCLI@2 and
+// AzurePowerShell@5 tasks when using a service connection or can be set manually when not using these tasks.
+const azurePipelinesServiceConnectionIDEnvVarName = "AZURESUBSCRIPTION_SERVICE_CONNECTION_ID"
+
+// azurePipelinesProvider is the name of the federated token provider to use when authenticating with Azure Pipelines via
+// OIDC.
+const azurePipelinesProvider string = "azure-pipelines"
+
 type authLoginFlags struct {
 	loginFlags
 }
@@ -389,6 +408,18 @@ func runningOnCodespacesBrowser(ctx context.Context, commandRunner exec.CommandR
 }
 
 func (la *loginAction) login(ctx context.Context) error {
+	if la.flags.federatedTokenProvider == azurePipelinesProvider {
+		if la.flags.clientID == "" {
+			log.Printf("setting client id from environment variable %s", azurePipelinesClientIDEnvVarName)
+			la.flags.clientID = os.Getenv(azurePipelinesClientIDEnvVarName)
+		}
+
+		if la.flags.tenantID == "" {
+			log.Printf("setting tenant id from environment variable %s", azurePipelinesClientIDEnvVarName)
+			la.flags.tenantID = os.Getenv(azurePipelinesTenantIDEnvVarName)
+		}
+	}
+
 	if la.flags.managedIdentity {
 		if _, err := la.authManager.LoginWithManagedIdentity(
 			ctx, la.flags.clientID,
@@ -451,9 +482,22 @@ func (la *loginAction) login(ctx context.Context) error {
 			); err != nil {
 				return fmt.Errorf("logging in: %w", err)
 			}
-		case la.flags.federatedTokenProvider != "":
-			if _, err := la.authManager.LoginWithServicePrincipalFederatedTokenProvider(
-				ctx, la.flags.tenantID, la.flags.clientID, la.flags.federatedTokenProvider,
+		case la.flags.federatedTokenProvider == "github":
+			if _, err := la.authManager.LoginWithGitHubFederatedTokenProvider(
+				ctx, la.flags.tenantID, la.flags.clientID,
+			); err != nil {
+				return fmt.Errorf("logging in: %w", err)
+			}
+		case la.flags.federatedTokenProvider == azurePipelinesProvider:
+			serviceConnectionID := os.Getenv(azurePipelinesServiceConnectionIDEnvVarName)
+
+			if serviceConnectionID == "" {
+				return fmt.Errorf("must set %s for azure-pipelines federated token provider",
+					azurePipelinesServiceConnectionIDEnvVarName)
+			}
+
+			if _, err := la.authManager.LoginWithAzurePipelinesFederatedTokenProvider(
+				ctx, la.flags.tenantID, la.flags.clientID, serviceConnectionID,
 			); err != nil {
 				return fmt.Errorf("logging in: %w", err)
 			}

@@ -53,6 +53,16 @@ const useAzCliAuthKey = "auth.useAzCliAuth"
 // auth related configuration information (e.g. the home account id of the current user). This information is not secret.
 const authConfigFileName = "auth.json"
 
+// azurePipelinesSystemAccessTokenEnvVarName is the name of the environment variable that contains the system access token
+// used to auth against the ODIC endpoint for Azure Pipelines. It needs to be set by the task that runs the azd command by
+// adding `SYSTEM_ACCESSTOKEN: $(System.AccessToken)` to the `env` section of the task configuration.
+const azurePipelinesSystemAccessTokenEnvVarName = "SYSTEM_ACCESSTOKEN"
+
+// errNoSystemAccessTokenEnvVar is returned when the System.AccessToken environment variable is not set.
+var errNoSystemAccessTokenEnvVar = fmt.Errorf(
+	"system access token not found, ensure the System.AccessToken value is mapped to an environment variable named %s",
+	azurePipelinesSystemAccessTokenEnvVarName)
+
 // HttpClient interface as required by MSAL library.
 type HttpClient interface {
 	// Do sends an HTTP request and returns an HTTP response.
@@ -312,11 +322,6 @@ func (m *Manager) CredentialForCurrentUser(
 		}
 		return m.newCredentialFromManagedIdentity(clientID)
 	} else if currentUser.TenantID != nil && currentUser.ClientID != nil {
-		ps, err := m.loadSecret(*currentUser.TenantID, *currentUser.ClientID)
-		if err != nil {
-			return nil, fmt.Errorf("loading secret: %w: %w", err, ErrNoCurrentUser)
-		}
-
 		// by default we used the stored tenant (i.e. the one provided with the tenant id parameter when a user ran
 		// `azd auth login`), but we allow an override using the options bag, when
 		// TenantID is non-empty and PreferFallbackTenant is not true.
@@ -326,13 +331,18 @@ func (m *Manager) CredentialForCurrentUser(
 			tenantID = options.TenantID
 		}
 
+		ps, err := m.loadSecret(*currentUser.TenantID, *currentUser.ClientID)
+		if err != nil {
+			return nil, fmt.Errorf("loading secret: %w: %w", err, ErrNoCurrentUser)
+		}
+
 		if ps.ClientSecret != nil {
 			return m.newCredentialFromClientSecret(tenantID, *currentUser.ClientID, *ps.ClientSecret)
 		} else if ps.ClientCertificate != nil {
 			return m.newCredentialFromClientCertificate(tenantID, *currentUser.ClientID, *ps.ClientCertificate)
 		} else if ps.FederatedAuth != nil && ps.FederatedAuth.TokenProvider != nil {
 			return m.newCredentialFromFederatedTokenProvider(
-				tenantID, *currentUser.ClientID, *ps.FederatedAuth.TokenProvider)
+				tenantID, *currentUser.ClientID, *ps.FederatedAuth.TokenProvider, ps.FederatedAuth.ServiceConnectionID)
 		}
 	}
 
@@ -518,35 +528,62 @@ func (m *Manager) newCredentialFromFederatedTokenProvider(
 	tenantID string,
 	clientID string,
 	provider federatedTokenProvider,
+	serviceConnectionID *string,
 ) (azcore.TokenCredential, error) {
-	if provider != gitHubFederatedAuth {
-		return nil, fmt.Errorf("unsupported federated token provider: '%s'", string(provider))
-	}
-	options := &azidentity.ClientAssertionCredentialOptions{
-		ClientOptions: azcore.ClientOptions{
-			Transport: m.httpClient,
-			// TODO: Inject client options instead? this can be done if we're OK
-			// using the default user agent string.
-			Cloud: m.cloud.Configuration,
-		},
-	}
-	cred, err := azidentity.NewClientAssertionCredential(
-		tenantID,
-		clientID,
-		func(ctx context.Context) (string, error) {
-			federatedToken, err := m.ghClient.TokenForAudience(ctx, "api://AzureADTokenExchange")
-			if err != nil {
-				return "", fmt.Errorf("fetching federated token: %w", err)
-			}
+	clientOptions := azcore.ClientOptions{
+		Transport: m.httpClient,
+		// TODO: Inject client options instead? this can be done if we're OK
+		// using the default user agent string.
+		Cloud: m.cloud.Configuration,
+	}
+
+	switch provider {
+	case gitHubFederatedTokenProvider:
+		cred, err := azidentity.NewClientAssertionCredential(
+			tenantID,
+			clientID,
+			func(ctx context.Context) (string, error) {
+				federatedToken, err := m.ghClient.TokenForAudience(ctx, "api://AzureADTokenExchange")
+				if err != nil {
+					return "", fmt.Errorf("fetching federated token: %w", err)
+				}
 
-			return federatedToken, nil
-		},
-		options)
-	if err != nil {
-		return nil, fmt.Errorf("creating credential: %w", err)
-	}
+				return federatedToken, nil
+			},
+			&azidentity.ClientAssertionCredentialOptions{
+				ClientOptions: clientOptions,
+			})
+		if err != nil {
+			return nil, fmt.Errorf("creating credential: %w", err)
+		}
 
-	return cred, nil
+		return cred, nil
+
+	case azurePipelinesFederatedTokenProvider:
+		systemAccessToken := os.Getenv(azurePipelinesSystemAccessTokenEnvVarName)
+		if systemAccessToken == "" {
+			return nil, errNoSystemAccessTokenEnvVar
+		}
+
+		// Guard against the case where the service connection ID is not set because someone manually edited the json
+		// files managed by `azd auth login`.
+		if serviceConnectionID == nil {
+			return nil, errors.New("service connection ID not found, please run `azd auth login` to authenticate")
+		}
+
+		cred, err := azidentity.NewAzurePipelinesCredential(
+			tenantID, clientID, *serviceConnectionID, systemAccessToken, &azidentity.AzurePipelinesCredentialOptions{
+				ClientOptions: clientOptions,
+			},
+		)
+		if err != nil {
+			return nil, fmt.Errorf("creating credential: %w: %w", err, ErrNoCurrentUser)
+		}
+
+		return cred, nil
+	default:
+		return nil, fmt.Errorf("unsupported federated token provider: '%s'", string(provider))
+	}
 }
 
 func (m *Manager) newCredentialFromCloudShell() (azcore.TokenCredential, error) {
@@ -755,10 +792,10 @@ func (m *Manager) LoginWithServicePrincipalCertificate(
 	return cred, nil
 }
 
-func (m *Manager) LoginWithServicePrincipalFederatedTokenProvider(
-	ctx context.Context, tenantId, clientId, provider string,
+func (m *Manager) LoginWithGitHubFederatedTokenProvider(
+	ctx context.Context, tenantId, clientId string,
 ) (azcore.TokenCredential, error) {
-	cred, err := m.newCredentialFromFederatedTokenProvider(tenantId, clientId, federatedTokenProvider(provider))
+	cred, err := m.newCredentialFromFederatedTokenProvider(tenantId, clientId, gitHubFederatedTokenProvider, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -768,7 +805,7 @@ func (m *Manager) LoginWithServicePrincipalFederatedTokenProvider(
 		clientId,
 		&persistedSecret{
 			FederatedAuth: &federatedAuth{
-				TokenProvider: &gitHubFederatedAuth,
+				TokenProvider: &gitHubFederatedTokenProvider,
 			},
 		},
 	); err != nil {
@@ -778,6 +815,41 @@ func (m *Manager) LoginWithServicePrincipalFederatedTokenProvider(
 	return cred, nil
 }
 
+func (m *Manager) LoginWithAzurePipelinesFederatedTokenProvider(
+	ctx context.Context, tenantID string, clientID string, serviceConnectionID string,
+) (azcore.TokenCredential, error) {
+	systemAccessToken := os.Getenv(azurePipelinesSystemAccessTokenEnvVarName)
+
+	if systemAccessToken == "" {
+		return nil, errNoSystemAccessTokenEnvVar
+	}
+
+	options := &azidentity.AzurePipelinesCredentialOptions{
+		ClientOptions: azcore.ClientOptions{
+			Transport: m.httpClient,
+			// TODO: Inject client options instead? this can be done if we're OK
+			// using the default user agent string.
+			Cloud: m.cloud.Configuration,
+		},
+	}
+
+	cred, err := azidentity.NewAzurePipelinesCredential(tenantID, clientID, serviceConnectionID, systemAccessToken, options)
+	if err != nil {
+		return nil, fmt.Errorf("creating credential: %w", err)
+	}
+
+	if err := m.saveLoginForServicePrincipal(tenantID, clientID, &persistedSecret{
+		FederatedAuth: &federatedAuth{
+			TokenProvider:       &azurePipelinesFederatedTokenProvider,
+			ServiceConnectionID: &serviceConnectionID,
+		},
+	}); err != nil {
+		return nil, err
+	}
+
+	return cred, nil
+}
+
 // Logout signs out the current user and removes any cached authentication information
 func (m *Manager) Logout(ctx context.Context) error {
 	act, err := m.getSignedInAccount(ctx)
@@ -1017,7 +1089,8 @@ type persistedSecret struct {
 
 // federated auth token providers
 var (
-	gitHubFederatedAuth federatedTokenProvider = "github"
+	gitHubFederatedTokenProvider         federatedTokenProvider = "github"
+	azurePipelinesFederatedTokenProvider federatedTokenProvider = "azure-pipelines"
 )
 
 // token provider for federated auth
@@ -1027,6 +1100,9 @@ type federatedTokenProvider string
 type federatedAuth struct {
 	// The auth token provider. Tokens are obtained by calling the provider as needed.
 	TokenProvider *federatedTokenProvider `json:"tokenProvider,omitempty"`
+	// The ID of the service connection to use for Azure Pipelines federated auth. This is only set when the TokenProvider
+	// is "azure-pipelines".
+	ServiceConnectionID *string `json:"serviceConnectionId,omitempty"`
 }
 
 // userProperties is the model type for the value we store in the user's config. It is logically a discriminated union of

@@ -150,9 +150,7 @@ func TestServicePrincipalLoginFederatedTokenProvider(t *testing.T) {
 		cloud: cloud.AzurePublic(),
 	}
 
-	cred, err := m.LoginWithServicePrincipalFederatedTokenProvider(
-		context.Background(), "testClientId", "testTenantId", "github",
-	)
+	cred, err := m.LoginWithGitHubFederatedTokenProvider(context.Background(), "testClientId", "testTenantId")
 
 	require.NoError(t, err)
 	require.IsType(t, new(azidentity.ClientAssertionCredential), cred)

@@ -4,8 +4,8 @@ go 1.23
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.2
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/apimanagement/armapimanagement v1.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/appconfiguration/armappconfiguration v1.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/appcontainers/armappcontainers/v3 v3.0.0-beta.1
@@ -68,13 +68,13 @@ require (
 	go.opentelemetry.io/otel/trace v1.8.0
 	go.uber.org/atomic v1.9.0
 	go.uber.org/multierr v1.8.0
-	golang.org/x/sys v0.21.0
+	golang.org/x/sys v0.25.0
 	gopkg.in/dnaeon/go-vcr.v3 v3.1.2
 )
 
 require (
 	github.com/Azure/azure-pipeline-go v0.2.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -99,10 +99,10 @@ require (
 	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.8.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.8.0 // indirect
 	go.opentelemetry.io/proto/otlp v0.18.0 // indirect
-	golang.org/x/crypto v0.24.0 // indirect
-	golang.org/x/net v0.26.0 // indirect
-	golang.org/x/term v0.21.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/net v0.29.0 // indirect
+	golang.org/x/term v0.24.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	google.golang.org/grpc v1.56.3 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect