October 31st, 2023

Azure DevOps Workload Identity Federation

Developer Support
Cloud Solution Architects

With the recent arrival of the Public preview of Workload identity federation for Azure Pipelines, you may be wondering how to efficiently migrate dozens or even hundreds of ARM Service Connections to take advantage of these benefits.  In this post, Emmanuel Knafo dives right in.


With the recent arrival of the Public preview of Workload identity federation for Azure Pipelines, you may be wondering how to efficiently migrate my dozens or even hundreds of ARM Service Connections to take advantage of these main benefits:

  • Simplified management: You do not need to generate, copy, and store secrets from service principals in Azure Entra ID to Azure DevOps anymore. Secrets that are used in other authentication schemes of Azure service connections (e.g., service principal) expire after a certain period (2 years currently). When they expire, pipelines fail. You have to generate a new secret and update the service connection. Switching to workload identity federation eliminates the need to manage these secrets and improves the overall experience of creating and managing service connections.
  • Improved security: With workload identity federation, the federation subject sc://<org>/<project>/<service connection name> uniquely identifies what the identity can be used for, which provides a better constraint than a (shared) secret. There is no persistent secret involved in the communication between Azure Pipelines and Azure. As a result, tasks running in pipeline jobs cannot leak or exfiltrate secrets that have access to your production environments. This has often been a concern for our customers.

Image recommended authentication method 1024 215 526

Check out the full post here to start learning.

Author

Developer Support
Cloud Solution Architects

Microsoft Developer Support helps software developers rapidly build and deploy quality applications for Microsoft platforms.

0 comments

Discussion are closed.