Reputation: 1445
Can I add Managed Identity to my ADO pipeline?
Is there any way how can I add Azure Managed Identity to VM agent running my Azure DevOps pipeline? I want to be able to run curl command inside bash task and obtain the access token.
The command I want to run inside a pipeline is similar to this one, as per Microsoft Docs page
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F&client_id=$(IDENTITY)' -H Metadata:true -s
I know I can use various builtin tasks for Azure authentication, but none of them (up to my knowledge) is enabling to query metadata service.
My idea would be to have some ADO task which will add managed identity to a VM where the task is running. Once a pipeline (actually an agent) finishes all my tasks, then managed identity will be removed. Managed identity can be for example specified via service principal. Is this existing or is it possible at all?
Currently, I am using these two approaches, but both of them look a bit overkill for such a small task:
- I have private ADO agents pool and these machines have preconfigured managed identity I can use (I cannot configure it in the pipeline later)
- I use a combination of two pipelines
- the helper pipeline that is provisioning and cleaning custom VMs and
- the primary pipeline which is configuring these custom VMs (accesses via service connection) and then running my bash code on them
Upvotes: 5
Views: 1984
Answers (1)
Reputation: 28126
My idea would be to have some ADO task which will add managed identity to a VM where the task is running. Once a pipeline (actually an agent) finishes all my tasks, then managed identity will be removed. Managed identity can be for example specified via service principal. Is this existing or is it possible at all?
Sorry but I'm afraid this is not supported. There's no such out-of-box task in Azure Devops (even in VS marketplace) to achieve this requirement (add/remove managed identity in VM).
Also, Managed identity can't be specified via service principal cause these two features are different technologies. For more details you can refer to this blog. So it's impossible to specify Managed Identity via Service Principal.
As one suggestion, you can make request for the feature (An official task to control Managed Identidy in one VM) you want on our UserVoice site, which is our main forum for product suggestions. After raising the suggestion, you can vote and add your comments there. The product team would provide the updates if they view it. Thank you for helping us build a better Azure DevOps.
Upvotes: 2
Related Questions
- Connect-AzAccount with Azure Devops Pipeline?
- Get user ID in Azure Pipelines
- Use Azure AD Managed Identity/Service Principal user in ADO to use ADO API
- Run Azure devops pipeline as a azure AD user user
- Use managed identities in Azure DevOps build pipeline
- Using Managed Identity in Azure Pipelines: GetUserAccessToken: Failed to obtain an access token of identity. AAD returned silent failure
- Azure DevOps service accounts
- Developer support with Managed Identity for Custom API in Azure AD
- How do I specify a user-assigned managed identity in Azure API Management
- Azure AD Authentication in CI Pipeline