[release/9.0] Use WIF-based Entra auth for OneLocBuild ceapex feed access#17085
Open
missymessa wants to merge 2 commits into
Open
[release/9.0] Use WIF-based Entra auth for OneLocBuild ceapex feed access#17085missymessa wants to merge 2 commits into
missymessa wants to merge 2 commits into
Conversation
Cherry-pick of onelocbuild-wif-migration (main) to release/9.0. Replace PAT-based authentication with Entra token acquired via AzureCLI@2 and the dnceng-onelocbuild-ceapex service connection. Related: AzDO#10151
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the OneLocBuild job template to support accessing ceapex feeds using a WIF-based Entra token (via an Azure service connection) instead of relying solely on a PAT, enabling more secure authentication for internal pipelines.
Changes:
- Adds a
CeapexServiceConnectionparameter (defaulting todnceng-onelocbuild-ceapex) with an opt-out ('') to fall back to PAT auth. - Acquires an Entra access token via
AzureCLI@2when the service connection is set, and wires it into the OneLocBuild task’spatVariable. - Updates the OneLocBuild task reference to
OneLocBuild@3.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+81
to
+93
| # Acquire Entra token for ceapex feed access when using WIF-based auth | ||
| - ${{ if ne(parameters.CeapexServiceConnection, '') }}: | ||
| - task: AzureCLI@2 | ||
| displayName: 'Acquire Entra token for ceapex feed access' | ||
| inputs: | ||
| azureSubscription: ${{ parameters.CeapexServiceConnection }} | ||
| scriptType: 'pscore' | ||
| scriptLocation: 'inlineScript' | ||
| inlineScript: | | ||
| $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv | ||
| if (-not $token) { Write-Error "Failed to acquire AzDO token"; exit 1 } | ||
| Write-Host "##vso[task.setvariable variable=CeapexEntraToken;issecret=true]${token}" | ||
| condition: ${{ parameters.condition }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry-pick of #17083 to release/9.0.
Replaces PAT-based authentication for OneLocBuild's ceapex feed access with WIF-based Entra token via AzureCLI@2 and the dnceng-onelocbuild-ceapex service connection.
Related: AzDO#10151