When connecting to external resources like Azure Resource Manager you will need a service connection in Azure DevOps. Normally I utilize a service principal for this purpose. The certificate issued by Microsoft Entra ID was normally valid for two years but Microsoft changed this to three months in the release of January 18th and is promoting the usage of Workload identity federation (WIF).
When testing this WIF based service connection I noticed that the OIDC token is only valid for about 50 minutes. This time is to short for the PowerShell script I use to monitor the Azure Image Builder image builds. These image build processes can take up to four hours but fail now with an error message like the one below.
A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-01-22T17:33:11.8833126Z, assertion valid from 2024-01-22T16:43:00.0000000Z, expiry time of assertion 2024-01-22T16:52:59.0000000Z. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentialsAt this moment there is not much information available. The best information related to my issue I found in a Terraform related post and an excellent article of Emanual Palm called Azure Workload Identity Federation which contained the information I needed for solving this OIDC token time-out issue.
To solve the issue I had to switch from the AzurePowerShell@5 step to the AzureCLI@2 task. This is needed to have access to the OIDC token which is added when you use the addSpnToEnvironment setting.
- task: AzureCLI@2
displayName: 'OIDC token renewal'
inputs:
azureSubscription: ''
scriptType: 'pscore'
scriptLocation: 'scriptPath'
scriptPath: 'Invoke-RenewOidcToken.ps1'
scriptArguments:
-AccessToken $(System.AccessToken)
addSpnToEnvironment: true
The Invoke-RenewOidcToken PowerShell script contains the logic to retrieve a new OIDC token by calling the Azure DevOps REST oidctoken endpoint (using the pipeline access token for the authorization) and it changes the idToken environment variable to extend the session. The script contains also a 4 hour run test cycle to prove that the script can run longer than 50 minutes.
[CmdletBinding()]
param (
[Parameter()]
[string]
$AccessToken
)
# The service connection ID can be found stored in any of the environment variables named ENDPOINT_DATA_<ServiceConnectionId>_<Something>URL.
try {
$ServiceConnectionId = (Get-ChildItem -Path Env: -Recurse -Include ENDPOINT_DATA_*)[0].Name.Split('_')[2]
}
catch {
throw "Unable to determine service connection ID."
}
# Set up an URI for the Azure DevOps API endpoint to get the OpenID Connect token from.
$IdTokenUri = "${env:SYSTEM_TEAMFOUNDATIONCOLLECTIONURI}${env:SYSTEM_TEAMPROJECTID}/_apis/distributedtask/hubs/build/plans/${env:SYSTEM_PLANID}/jobs/${env:SYSTEM_JOBID}/oidctoken?serviceConnectionId=${ServiceConnectionId}&api-version=7.1-preview.1"
function Set-IdToken {
$Response = Invoke-RestMethod -Headers @{
Authorization = "Bearer $AccessToken"
'Content-Type' = 'application/json'
} `
-Uri $IdTokenUri `
-Method Post
# Renew the OpenID Connect token.
$env:idToken = $Response.oidctoken
# Sign-in to Azure to activate the renewed token.
az login --service-principal --username $env:servicePrincipalId --tenant $env:tenantId --federated-token $Response.oidctoken
Write-Host "The OpenID Connect token has been renewed."
}
$MaxRepeat = 120
# The ID token expires every 50 minutes. Given a waiting period of 120 seconds it should be renewed every 25 cycles.
$RenewalCycle = 25
$RenewalCounter = 0
if (-not $IsFinished) {
do {
$RenewalCounter++
if ($RenewalCounter -eq $RenewalCycle) {
Set-IdToken
$RenewalCounter = 0
}
Write-Host "Waiting 120 seconds. Retries left: $MaxRepeat"
Start-Sleep -Seconds 120
$MaxRepeat--
} until ($MaxRepeat -eq 0)
}
Comments
Post a Comment