Add support for workload identity federation authentication.

frontierhq · May 30, 2024 · f591a5b · f591a5b
1 parent 92bc956
commit f591a5b
Show file tree

Hide file tree

Showing 8 changed files with 46 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Sheriff Azure DevOps Extension Changelog
 
+## 0.0.6
+
+* `SheriffPlan` and `SheriffApply` tasks updated to support workload identity federation authentication.
+
 ## 0.0.5
 
 * `InstallSheriffCLI` task updated to download Sheriff from Azure Storage.

diff --git a/README.rst b/README.rst
@@ -20,8 +20,8 @@ About
 
 This is an Azure DevOps extension that provides tasks for installing and running
 `Sheriff <https://github.com/gofrontier-com/sheriff>`_, a command line tool to
-manage Azure role-based access control (Azure RBAC) and Microsoft Entra
-Privileged Identity Management (Microsoft Entra PIM) using desired state configuration.
+manage Microsoft Entra Privileged Identity Management (Microsoft Entra PIM) using
+desired state configuration.
 
 ------------
 Installation

diff --git a/tasks/SheriffApply/SheriffApplyV0/package-lock.json b/tasks/SheriffApply/SheriffApplyV0/package-lock.json
diff --git a/tasks/SheriffApply/SheriffApplyV0/package.json b/tasks/SheriffApply/SheriffApplyV0/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sheriff-apply-task",
-  "version": "0.0.1",
+  "version": "0.0.2",
   "description": "",
   "scripts": {
     "test": "run-p test:*",

diff --git a/tasks/SheriffApply/SheriffApplyV0/src/index.js b/tasks/SheriffApply/SheriffApplyV0/src/index.js
@@ -1,5 +1,8 @@
 #!/usr/bin/env node
 
+const fs = require('fs');
+const path = require('path');
+
 const tl = require('azure-pipelines-task-lib/task');
 
 async function run() {
@@ -11,6 +14,8 @@ async function run() {
 
     let subscriptionId = tl.getInput('subscriptionId', false);
 
+    const agentTempDirectory = tl.getVariable('Agent.TempDirectory');
+
     const env = {};
 
     const authScheme = tl.getEndpointAuthorizationScheme(connectedService, true);
@@ -22,7 +27,18 @@ async function run() {
 
     if (authScheme.toLowerCase() === 'workloadidentityfederation') {
       tl.debug('workload identity federation scheme');
-      throw new Error('Workload identity federation scheme not implemented');
+      const servicePrincipalId = tl.getEndpointAuthorizationParameter(connectedService, 'serviceprincipalid', false);
+      env.AZURE_CLIENT_ID = servicePrincipalId;
+
+      const tenantId = tl.getEndpointAuthorizationParameter(connectedService, 'tenantid', false);
+      env.AZURE_TENANT_ID = tenantId;
+
+      const federatedToken = await this.getIdToken(connectedService);
+      tl.setSecret(federatedToken);
+
+      const federatedTokenFilePath = path.join(agentTempDirectory, 'azure-identity-token');
+      fs.writeFileSync(federatedTokenFilePath, federatedToken);
+      env.AZURE_FEDERATED_TOKEN_FILE = federatedTokenFilePath;
     } else if (authScheme.toLowerCase() === 'serviceprincipal') {
       tl.debug('service principal scheme');
       const authType = tl.getEndpointAuthorizationParameter(connectedService, 'authenticationType', false);

diff --git a/tasks/SheriffPlan/SheriffPlanV0/package-lock.json b/tasks/SheriffPlan/SheriffPlanV0/package-lock.json
diff --git a/tasks/SheriffPlan/SheriffPlanV0/package.json b/tasks/SheriffPlan/SheriffPlanV0/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sheriff-plan-task",
-  "version": "0.0.1",
+  "version": "0.0.2",
   "description": "",
   "scripts": {
     "test": "run-p test:*",

diff --git a/tasks/SheriffPlan/SheriffPlanV0/src/index.js b/tasks/SheriffPlan/SheriffPlanV0/src/index.js
@@ -1,5 +1,8 @@
 #!/usr/bin/env node
 
+const fs = require('fs');
+const path = require('path');
+
 const tl = require('azure-pipelines-task-lib/task');
 
 async function run() {
@@ -10,6 +13,8 @@ async function run() {
 
     let subscriptionId = tl.getInput('subscriptionId', false);
 
+    const agentTempDirectory = tl.getVariable('Agent.TempDirectory');
+
     const env = {};
 
     const authScheme = tl.getEndpointAuthorizationScheme(connectedService, true);
@@ -21,7 +26,18 @@ async function run() {
 
     if (authScheme.toLowerCase() === 'workloadidentityfederation') {
       tl.debug('workload identity federation scheme');
-      throw new Error('Workload identity federation scheme not implemented');
+      const servicePrincipalId = tl.getEndpointAuthorizationParameter(connectedService, 'serviceprincipalid', false);
+      env.AZURE_CLIENT_ID = servicePrincipalId;
+
+      const tenantId = tl.getEndpointAuthorizationParameter(connectedService, 'tenantid', false);
+      env.AZURE_TENANT_ID = tenantId;
+
+      const federatedToken = await this.getIdToken(connectedService);
+      tl.setSecret(federatedToken);
+
+      const federatedTokenFilePath = path.join(agentTempDirectory, 'azure-identity-token');
+      fs.writeFileSync(federatedTokenFilePath, federatedToken);
+      env.AZURE_FEDERATED_TOKEN_FILE = federatedTokenFilePath;
     } else if (authScheme.toLowerCase() === 'serviceprincipal') {
       tl.debug('service principal scheme');
       const authType = tl.getEndpointAuthorizationParameter(connectedService, 'authenticationType', false);