Reputation: 21
Using workload identity federation to connect Azure storage account
From an Azure DevOps pipeline, I need to log in to AZCOPY and then copy some files from DevOps working directory to the Azure Storage account.
Created a service connection (Automatic, workload identity federation). The App registration which is created as part of the Service connection as has given Storage Blob data contributor role in the storage account.
Using the below code to perform the AZCOPY login, which is failing with the error,
trigger:
batch: false
branches:
include:
- dev
pool:
vmImage: ubuntu-latest
steps:
- task: AzureCLI@2
inputs:
addSpnToEnvironment: true
azureSubscription: 'DevOps_connect'
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
# Inherit Azure CLI service connection
export ARM_CLIENT_ID=$servicePrincipalId
export ARM_OIDC_TOKEN=$idToken
export ARM_TENANT_ID=$tenantId
echo "ARM_CLIENT_ID: $ARM_CLIENT_ID"
echo "ARM_OIDC_TOKEN: $ARM_OIDC_TOKEN"
echo "ARM_TENANT_ID: $ARM_TENANT_ID"
azcopy login --identity
Failed to perform login command: ManagedIdentityCredential: failed to authenticate a system assigned identity. The endpoint responded with {"error":"invalid_request","error_description":"Identity not found"}
Why it is failing, any settings or environment variables I am missing ? I am using pipeline agent in devops.
Upvotes: 1
Views: 210
Answers (2)
Reputation: 13944
In Azure Pipelines, you can use the AzureFileCopy@6 task to copy files into to Azure Blob Storage. This task version supports Workload Identity Federation and uses Azure RBAC to access Azure Storage.
The following are the main configuration for this:
At first, you need to create an Azure Resource Manager service connection (ARM service connection) using Workload Identity Federation, if you do not have a such ARM service connection.
Ensure the App registration (or Managed identity) used by the ARM service connection has the "
Storage Blob Data Contributor" role assigned on the Storage account.
Then on the AzureFileCopy@6 task, you can directly use the ARM service connection like as below.
- task: AzureFileCopy@6 displayName: 'Copy Files to Azure Storage Account' inputs: SourcePath: 'path/to/the/source/directory' azureSubscription: 'MyArmConnection' Destination: 'AzureBlob' storage: 'mystorageaccount' ContainerName: 'mycontainer'
Upvotes: 0
Reputation: 18094
Consider using the AZCOPY_AUTO_LOGIN_TYPE environment variable, which provides the ability to authorize without using the azcopy login command:
steps:
- task: AzureCLI@2
inputs:
addSpnToEnvironment: true
azureSubscription: 'DevOps_connect'
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
# ...
env:
AZCOPY_AUTO_LOGIN_TYPE: AZCLI
# other environment variables
See:
- AzCopy v10 environment variables
- Authorize access to blobs and files with AzCopy and Microsoft Entra ID
Upvotes: 0
Related Questions
- Use Managed identity to access Azure Blob storage from an Azure VM
- vstest with workload identity federation
- Terraform: Error building ARM Config - Authenticating using the Azure CLI is only supported
- How to connect to an Azure SQL database with managed identity using a console app running during in a deployment pipeline?
- Use managed identities in Azure DevOps build pipeline
- scale down azure sql database during nights and scale it up at mornings
- Getting an error while retrieving a blob using user assigned managed identity
- How to copy files from multiple Azure VM to Azure Storage automatically and access then
- azure identity to get graph api
- Terraform backend cannot connect to storage account