|
| 1 | +--- |
| 2 | +author: ckanyika |
| 3 | +ms.author: ckanyika |
| 4 | +ms.date: 6/14/2024 |
| 5 | +ms.topic: include |
| 6 | +--- |
| 7 | + |
| 8 | +### Access Azure Service Bus from Pipelines using Entra ID authentication |
| 9 | + |
| 10 | +You can now use [Entra ID authentication](https://learn.microsoft.com/azure/service-bus-messaging/service-bus-authentication-and-authorization#microsoft-entra-id) to access Azure Service Bus from Azure Pipelines. This allows you to take advantage of Workload identity federation to remove secrets management and Azure RBAC for fine grained access control. |
| 11 | + |
| 12 | +Identities accessing Azure Service Bus need to be granted one of the [Azure built-in roles for Azure Service Bus](https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus) on the Service Bus accessed. |
| 13 | + |
| 14 | + |
| 15 | +##### PublishToAzureServiceBus@2 task |
| 16 | + |
| 17 | +The new PublishToAzureServiceBus@2 tasks can be configured using an Azure service connection. Create an [Azure service connection](https://learn.microsoft.com/azure/devops/pipelines/library/connect-to-azure?view=azure-devops&preserve-view=true) and populate the `serviceBusQueueName` and `serviceBusNamespace` properties of the new task: |
| 18 | + |
| 19 | +```yaml |
| 20 | +- task: PublishToAzureServiceBus@2 |
| 21 | + inputs: |
| 22 | + azureSubscription: my-azure-service-connection |
| 23 | + serviceBusQueueName: my-service-bus-queue |
| 24 | + serviceBusNamespace: my-service-bus-namespace |
| 25 | + useDataContractSerializer: false |
| 26 | + messageBody: | |
| 27 | + { |
| 28 | + "foo": "bar" |
| 29 | + } |
| 30 | +``` |
| 31 | +
|
| 32 | +##### Server tasks |
| 33 | +
|
| 34 | +Custom server (agent-less) tasks that use `ServiceBus` execution can specify an Azure Service Connection as `EndpointId` and omit `ConnectionString`. See [Server task authoring](https://github.com/microsoft/azure-pipelines-tasks/blob/master/docs/authoring/servertaskauthoring.md#server-task-authoring). |
| 35 | + |
| 36 | +### Pipelines and tasks populate variables to customize Workload identity federation authentication |
| 37 | + |
| 38 | +The REST API endpoint for requesting OIDC tokens is now available in the `System.OidcRequestUri` pipeline variable. Task developers can leverage this variable to generate an idToken for authentication with Entra ID. |
| 39 | + |
| 40 | +If you are using Marketplace tasks or custom tasks to deploy to Azure, please be aware that these tasks may not support workload identity federation yet. We recommend task developers to enable workload identity federation to improve security measures. |
| 41 | + |
| 42 | +> [!div class="mx-imgBorder"] |
| 43 | +>  |
| 44 | + |
| 45 | + |
| 46 | +Tasks that take a `connectedService:AzureRM` input in [task.json](https://learn.microsoft.com/azure/devops/extend/develop/integrate-build-task?view=azure-devops#custom-build-task-json) can be updated to support workload identity federation by following these steps: |
| 47 | + |
| 48 | +* Utilize the [Oidctoken REST API](/azure/devops/distributedtask/oidctoken/create?view=azure-devops-rest-7.1&preserve-view=true) to request an idToken (arrow 1 in above diagram). |
| 49 | +* Exchange the idToken for an access token using the federated credential flow of the [OAuth API](/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#third-case-access-token-request-with-a-federated-credential), specifying the idToken as `client_assertion` (arrows 2 & 4 in above diagram); |
| 50 | + or: |
| 51 | +* For tasks that act as a wrapper around a tool that performs authentication itself, use the tools' authentication method to specify the federated token. |
| 52 | + |
| 53 | +Node tasks can use the [azure-pipelines-tasks-artifacts-common](https://www.npmjs.com/package/azure-pipelines-tasks-artifacts-common?activeTab=explore) npm package to obtain the idToken. Refer to the [code example](https://github.com/microsoft/azure-pipelines-terraform/blob/main/Tasks/TerraformTask/TerraformTaskV4/src/id-token-generator.ts) for implementation details. |
| 54 | + |
| 55 | + |
| 56 | +##### Requesting a fresh idToken |
| 57 | + |
| 58 | +The `System.OidcRequestUri` pipeline variable and `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` environment variable exposed in the `AzureCLI@2` and `AzurePowerShell@5` tasks allow pipeline authors to authenticate from their own script: |
| 59 | + |
| 60 | +##### PowerShell Az |
| 61 | + |
| 62 | +```powershell |
| 63 | +- task: AzurePowerShell@5 |
| 64 | + inputs: |
| 65 | + azureSubscription: 'my-azure-subscription' |
| 66 | + scriptType: inlineScript |
| 67 | + inline: | |
| 68 | + # Request fresh idToken |
| 69 | + Invoke-RestMethod -Headers @{ |
| 70 | + Authorization = "Bearer $(System.AccessToken)" |
| 71 | + 'Content-Type' = 'application/json' |
| 72 | + } ` |
| 73 | + -Uri "${env:SYSTEM_OIDCREQUESTURI}?api-version=7.1&serviceConnectionId=${env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID}" ` |
| 74 | + -Method Post ` |
| 75 | + | Select-Object -ExpandProperty oidcToken |
| 76 | + | Set-Variable idToken |
| 77 | + |
| 78 | + # Fetch current context |
| 79 | + $azContext = Get-AzContext |
| 80 | + |
| 81 | + # Start new Az session |
| 82 | + Connect-AzAccount -ApplicationId $azContext.Account.Id ` |
| 83 | + -TenantId $azContext.Tenant.Id ` |
| 84 | + -SubscriptionId $azContext.Subscription.Id ` |
| 85 | + -FederatedToken $idToken |
| 86 | +``` |
| 87 | + |
| 88 | +##### Azure CLI |
| 89 | + |
| 90 | +```bash |
| 91 | +- task: AzureCLI@2 |
| 92 | + inputs: |
| 93 | + addSpnToEnvironment: true |
| 94 | + azureSubscription: 'my-azure-subscription' |
| 95 | + scriptType: bash |
| 96 | + scriptLocation: inlineScript |
| 97 | + inlineScript: | |
| 98 | + # Request fresh idToken |
| 99 | + OIDC_REQUEST_URL="${SYSTEM_OIDCREQUESTURI}?api-version=7.1&serviceConnectionId=${AZURESUBSCRIPTION_SERVICE_CONNECTION_ID}" |
| 100 | + ARM_OIDC_TOKEN=$(curl -s -H "Content-Length: 0" -H "Content-Type: application/json" -H "Authorization: Bearer $(System.AccessToken)" -X POST $OIDC_REQUEST_URL | jq -r '.oidcToken') |
| 101 | + |
| 102 | + # Save subscription context |
| 103 | + ARM_SUBSCRIPTION_ID=$(az account show --query id -o tsv) |
| 104 | + |
| 105 | + # New az-cli session |
| 106 | + az login --service-principal -u $servicePrincipalId --tenant $tenantId --allow-no-subscriptions --federated-token $ARM_OIDC_TOKEN |
| 107 | + az account set --subscription $ARM_SUBSCRIPTION_ID |
| 108 | +``` |
| 109 | + |
| 110 | +### Retries for server tasks |
| 111 | + |
| 112 | +Server tasks that call external systems, such as `AzureFunction` or `InvokeRESTAPI`, can occasionally fail due to transient errors like compute resource exhaustion. Previously, such failures would cause the entire job, and potentially the pipeline, to fail. |
| 113 | + |
| 114 | +To improve resilience against transient errors, we have introduced support for the `retryCountOnTaskFailure` property in server tasks. Assume you have the following YAML code in your pipeline: |
| 115 | + |
| 116 | +```yml |
| 117 | +- stage: deploy |
| 118 | + jobs: |
| 119 | + - job: |
| 120 | + pool: server |
| 121 | + steps: |
| 122 | + - task: AzureFunction@1 |
| 123 | + retryCountOnTaskFailure: 2 |
| 124 | + inputs: |
| 125 | + function: 'https://api.fabrikamfiber.com' |
| 126 | + key: $(functionKey) |
| 127 | + method: 'POST' |
| 128 | + waitForCompletion: 'false' |
| 129 | +``` |
| 130 | +
|
| 131 | +If `https://api.fabrikamfiber.com` experiences a transient error, Azure Pipelines will retry the request up to three times (the initial attempt plus two retries specified by `retryCountOnTaskFailure`). Each retry includes an increasing wait period. The maximum number of retries allowed is 10. |
| 132 | + |
| 133 | +The `retryCountOnTaskFailure` isn't available for the `ManualValidation` task and other tasks that don't involve external system calls. |
| 134 | + |
| 135 | +### Tasks that use an end-of-life Node runner version to execute emit warnings |
| 136 | + |
| 137 | +Pipeline tasks that rely on a Node version no longer [maintained](https://nodejs.org/en/about/previous-releases) will start receiving warnings: |
| 138 | + |
| 139 | +> Task `TaskName` version `<version>` is dependent on a Node version (10) that is end-of-life. Contact the extension owner for an updated version of the task. Task maintainers should review Node upgrade guidance: https://aka.ms/node-runner-guidance |
| 140 | + |
| 141 | +To suppress these warnings, you can set an environment or pipeline variable at either the pipeline (job) or task level. For example: |
| 142 | + |
| 143 | +```yaml |
| 144 | +variables: |
| 145 | + AZP_AGENT_CHECK_IF_TASK_NODE_RUNNER_IS_DEPRECATED: false |
| 146 | +``` |
| 147 | + |
| 148 | +### DockerCompose@0 uses Docker Compose v2 in v1 compatibility mode |
| 149 | + |
| 150 | +Docker Compose v1 will reach its end-of-life and be removed from Hosted Agents in July 2024. We have updated the [DockerCompose@0](https://learn.microsoft.com/azure/devops/pipelines/tasks/reference/docker-compose-v0?view=azure-pipelines) task to use Docker Compose v2 in v1 compatibility mode. |
0 commit comments