Skip to main content

Solving Azure DevOps Workload Identity Federation service connection 50 minute time-out error

 When connecting to external resources like Azure Resource Manager you will need a service connection in Azure DevOps. Normally I utilize a service principal for this purpose. The certificate issued by Microsoft Entra ID was normally valid for two years but Microsoft changed this to three months in the release of January 18th and is promoting the usage of Workload identity federation (WIF).

When testing this WIF based service connection I noticed that the OIDC token is only valid for about 50 minutes. This time is to short for the PowerShell script I use to monitor the Azure Image Builder image builds. These image build processes can take up to four hours but fail now with an error message like the one below.

A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-01-22T17:33:11.8833126Z, assertion valid from 2024-01-22T16:43:00.0000000Z, expiry time of assertion 2024-01-22T16:52:59.0000000Z. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials

At this moment there is not much information available. The best information related to my issue I found in a Terraform related post and an excellent article of Emanual Palm called Azure Workload Identity Federation which contained the information I needed for solving this OIDC token time-out issue.

To solve the issue I had to switch from the AzurePowerShell@5 step to the AzureCLI@2 task. This is needed to have access to the OIDC token which is added when you use the addSpnToEnvironment setting.

- task: AzureCLI@2
  displayName: 'OIDC token renewal'
  inputs:
    azureSubscription: ''
    scriptType: 'pscore'
    scriptLocation: 'scriptPath'
    scriptPath: 'Invoke-RenewOidcToken.ps1'
    scriptArguments:
      -AccessToken $(System.AccessToken)
    addSpnToEnvironment: true

The Invoke-RenewOidcToken PowerShell script contains the logic to retrieve a new OIDC token by calling the Azure DevOps REST oidctoken endpoint (using the pipeline access token for the authorization) and it changes the idToken environment variable to extend the session. The script contains also a 4 hour run test cycle to prove that the script can run longer than 50 minutes.

[CmdletBinding()]
param (
    [Parameter()]
    [string]
    $AccessToken
)

# The service connection ID can be found stored in any of the environment variables named ENDPOINT_DATA_<ServiceConnectionId>_<Something>URL.
try {
    $ServiceConnectionId = (Get-ChildItem -Path Env: -Recurse -Include ENDPOINT_DATA_*)[0].Name.Split('_')[2]
}
catch {
    throw "Unable to determine service connection ID."
}

# Set up an URI for the Azure DevOps API endpoint to get the OpenID Connect token from.
$IdTokenUri = "${env:SYSTEM_TEAMFOUNDATIONCOLLECTIONURI}${env:SYSTEM_TEAMPROJECTID}/_apis/distributedtask/hubs/build/plans/${env:SYSTEM_PLANID}/jobs/${env:SYSTEM_JOBID}/oidctoken?serviceConnectionId=${ServiceConnectionId}&api-version=7.1-preview.1"

function Set-IdToken {
    $Response = Invoke-RestMethod -Headers @{
            Authorization  = "Bearer $AccessToken"
            'Content-Type' = 'application/json'
        } `
        -Uri $IdTokenUri `
        -Method Post

    # Renew the OpenID Connect token.
    $env:idToken = $Response.oidctoken
    
    # Sign-in to Azure to activate the renewed token.
    az login --service-principal --username $env:servicePrincipalId --tenant $env:tenantId --federated-token $Response.oidctoken
    
    Write-Host "The OpenID Connect token has been renewed."
}

$MaxRepeat = 120

# The ID token expires every 50 minutes. Given a waiting period of 120 seconds it should be renewed every 25 cycles.
$RenewalCycle = 25
$RenewalCounter = 0

if (-not $IsFinished) {
    do {
        $RenewalCounter++

        if ($RenewalCounter -eq $RenewalCycle) {
            Set-IdToken
            $RenewalCounter = 0
        }

        Write-Host "Waiting 120 seconds. Retries left: $MaxRepeat"
        Start-Sleep -Seconds 120

        $MaxRepeat--
    } until ($MaxRepeat -eq 0)
}
Labels:

Comments

Post a Comment

Popular posts from this blog

Assign an existing certificate to your IIS website with WiX

Recently I had to change the bindings of existing IIS hosted websites and APIs from HTTP to HTTPS. They are installed with a MSI file created with the WiX Toolset . Because I have to use an already on the server installed certificate I cannot use the Certificate element from the IIS Extension because this element only supports installing and uninstalling certificates based on PFX files. After doing some research I found the blog article Assign Certificate (Set HTTPS Binding certificate) to IIS website from Wix Installer which described the usage of Custom Actions for this purpose. I adopted this approach and rewrote the code for my scenario. With WiX I still create the website. <iis:WebSite Id="WebSite" ConfigureIfExists="yes" AutoStart="yes" Description="MyWebsite" Directory="IISROOT" StartOnInstall="yes"> <iis:WebAddress Id="WebSite...
Post a Comment
Read more

Permantly delete an AD object

At the moment I am busy with PowerShell DSC scripts that also create objects within the Active Directory. Because it's work in progress you have to delete those objects regularly. Witin this sandbox environment the recycle bin feature is enabled so the objects are kept 30 days.  To permantly delete such objects (so you have a clean testing situation) you can use the following PowerShell command. Get-ADObject -filter {sAMAccountName -eq "<name of object>$"} -includeDeletedObjects -property * | Remove-ADObject
Post a Comment
Read more

Make steps conditional in multi-stage YAML pipelines

To make the switch from the graphical release pipelines in Azure DevOps I am missing two features. The first one is to be able to defer a deploy and the second one is to exclude certain deployment steps without the need for editing the YAML file.  The defer option is something Microsoft has to solve in their Azure DevOps proposition. It's a feature which you have in the graphical release pipeline but what they have not implemented yet in their YAML pipeline replacement. Approvals and certain gate conditions are implemented on the environment but the defer option is still missing .  Pipeline The conditional deployment option can be implemented with the help of runtime parameters and expressions . In the parameter section you define boolean parameters which will control the deploy behavior. With the expressions you can control which stage/job/task should be executed when the pipeline runs. In the below YAML sample I experimented with conditions in the azure-pipelines.yml ...
Post a Comment
Read more