koszewscy/ado-sk-toolkit-extension
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
64f713ed811f644265c4abcf1e35776d1f189aec
ado-sk-toolkit-extension/README.md

2.4 KiB
Raw Blame History

Azure DevOps Federated Auth Toolkit

Azure DevOps extension with two tasks:

  • AzureFederatedAuth@1
  • CopyBlob@1

AzureFederatedAuth@1 requests an OIDC token for a selected AzureRM service connection and exports:

  • ARM_OIDC_TOKEN (secret)
  • ARM_TENANT_ID
  • ARM_CLIENT_ID
  • GIT_ACCESS_TOKEN (secret, optional)

Requirements

  • Linux agents (YAML pipelines)
  • Job setting that exposes OAuth token (System.AccessToken)
  • AzureRM service connection with workload identity federation
  • Visual Studio Marketplace publisher account (required to publish/share this extension, including org-only usage)

Build

./scripts/build.sh

This builds the TypeScript task and creates a .vsix extension package in build/.

Publish privately

Publishing (CLI or Web UI) uses the same model:

  • Upload extension version under a Visual Studio Marketplace publisher
  • Share that published extension with your Azure DevOps organization(s)

There is no direct local .vsix install path to an org that bypasses the publisher model.

AZDO_PAT='<your-pat>' ./scripts/publish.sh <vsix-path> <publisher-id> <org1> <org2> <org3>

Example:

AZDO_PAT="$AZDO_PAT" ./scripts/publish.sh ./build/skoszewski-lab.azuredevops-get-oidc-token-task-1.0.5.vsix skoszewski-lab org-a org-b org-c

Manual publish (Web UI)

You can publish the generated .vsix manually in the Visual Studio Marketplace publisher portal:

  1. Build/package first (./scripts/build.sh) and note the .vsix path.
  2. Open your publisher in Visual Studio Marketplace.
  3. Upload the .vsix as a new extension version.
  4. Share the published extension with the target Azure DevOps organization(s).

YAML usage

- task: AzureFederatedAuth@1
  inputs:
    serviceConnectionARM: 'my-arm-service-connection'
    setGitAccessToken: true
    printTokenHashes: false

- task: CopyBlob@1
  inputs:
    serviceConnectionARM: 'my-arm-service-connection'
    srcStorageAccountName: 'srcaccount'
    dstStorageAccountName: 'dstaccount'
    srcContainerName: 'tfstate'
    dstContainerName: 'tfstate-backup'
    blobName: 'lz.tfstate'

See examples/azure-pipelines-smoke.yml for a full smoke validation pipeline.

When setGitAccessToken: true, the task exchanges the OIDC assertion against Entra ID and requests scope 499b84ac-1321-427f-aa17-267ca6975798/.default, then sets GIT_ACCESS_TOKEN.

Author

Slawomir Koszewski

License

MIT. See LICENSE.

Reference in New Issue View Git Blame Copy Permalink