Replies: 2 comments 2 replies
-
|
@kkgthb - I was experimenting with this the other day and OIDC with GitHub Actions is possible with raw pac. https://twitter.com/RajYRaman/status/1763004741892891012?t=kmi5wTQIZaj2arICdP-NNg&s=19 Connecting with Azure with Federated Identity and running raw pac should be possible I think, but the official post for secretless auth is self-hosted runner and managed identity. Yeah. But I agree with you. Federated Authentication would be better for Actions and Pipelines. |
Beta Was this translation helpful? Give feedback.
-
|
We are working on changes to PAC CLI to make working with workload identity federation easier |
Beta Was this translation helpful? Give feedback.
-
|
POC PR: #835 |
Beta Was this translation helpful? Give feedback.
-
|
v2.0.69 deployed with these changes. |
Beta Was this translation helpful? Give feedback.
-
Unlike authenticating an Azure Pipeline into an Azure resource, at the moment there is no "secretless" way to give an Azure Pipeline an opportunity to run tasks such as
PowerPlatformWhoAmi@2orPowerPlatformExportSolution@2by becoming an Entra Service Principal.What a shame!
The Azure team and the Azure DevOps team seem to have partnered up to give an Azure Pipeline the opportunity to "secretlessly" become an Entra Service Principal using workload identity federation.
In fact, they are so all-in on the idea of using workload identity federation to log
azurerm-typed Azure DevOps Service Connections into Entra Service Principals that there are popups all over theazurerm-typed Service Connection user interface asking you if you'd like its help converting your old "secretful" connections to Entra Service Principals (ones that used an Entra App Registration "secret" or "certificate" -- heck, the wizard even offers to auto-delete your old "secretful" way of getting into your Entra Service Principal for you in 7 days).Can the Power Platform Build Tools team partner with the Azure DevOps Service Connections team to offer the same feature when creating a
powerplatform-spn-typed Azure DevOps Service Connection, and to have the Power Platform Build Tools tasks all accept such "secretless" connections to Entra Service Principals viagetCredential.tsand any other applicable code?Even if the web UI takes a long time to develop, it'd be amazing if, ASAP, the
az devops service-endpoint createwouldn't tell me "Unable to find service connection type 'powerplatform-spn' using authentication scheme 'WorkloadIdentityFederation'." when I try to pass it a frankenstein.jsonfile where I pasted over theauthorizationproperty with details from one of myazurerm-typed federated-credential-using Azure DevOps Service Connection files.From what I understand, Microsoft would like to encourage the authors of all Azure Pipelines to stop using "secretful" Service Connections as a way of "becoming" an Entra Service Principal, and to switch over to "secretless" ones that leverage Federated Identity Credentials.
Thank you so much!
P.S. I haven't tried connecting to Power Platform as an Entra Service Principal connected to an Entra App Registration in GitHub Actions yet, but I'm guessing you might have a similar issue there. Since there's way less "wizard" UI involved in OIDC for GitHub Actions workload identity federation into Entra Service Principals than in Azure DevOps (no "service connection" hoop to jump through, just some carefully-named environment secrets), maybe it can come out even sooner.
Beta Was this translation helpful? Give feedback.
All reactions