Azure DevOps Workload Identity Federation with Azure Overview. NO MORE SECRETS!

00:00

hey everyone in this video I want to

00:02

talk about the Azure devops capability

00:05

to leverage workload identity

00:08

federations whenever we have any service

00:11

talking to another service it has to be

00:13

a to authenticate it needs some way to

00:16

validate it's allowed to act as a

00:18

certain identity that can be given roles

00:21

on that Target resource so in this

00:24

example what we're focusing on is we

00:27

have our azure

00:28

devops

00:30

and our Azure devops remember we have

00:34

the idea of pipelines and so we have

00:36

some

00:37

Pipeline and that pipeline is going to

00:40

be

00:41

performing certain types of task and

00:44

what I want to run that pipeline against

00:46

in this case is azure so over here I

00:50

have my Azure try and draw an Azure

00:52

logos good as I

00:56

can so it needs to act as some identity

01:00

that Azure knows about and can all be

01:02

authenticated with that would have

01:04

certain roles against subscriptions

01:06

resource groups whatever I

01:09

need and the identity provider that

01:12

binds all of these together is entra

01:15

formerly known as Azure ad so we have

01:18

our particular ENT tenant for our

01:23

organization and what we have

01:25

traditionally done is obviously in this

01:27

case both Azure devops and and aure they

01:31

integrate and they trust entra they

01:34

trust a particular

01:36

tenant and so what we would have is we

01:38

would create an app registration which

01:42

would then give us a service principle

01:43

in entra that would be leveraged by a

01:47

service connection that we could then

01:49

leverage so I could think about well

01:51

okay great we will go and create this

01:54

app registration so we'll say it's app r

01:58

one

02:01

but the key Point here is it has a

02:04

secret so we say hey it's got secret one

02:07

and then what I do in my Azure devops is

02:11

well I go ahead and create a service

02:17

connection and that service

02:20

connection is configured with this

02:23

details it's configured with hey app

02:25

regge one and it's configured with that

02:29

secret

02:32

and then I give the pipeline

02:34

permission to use that service

02:38

connection and then the flow is simply

02:40

okay well I want to be able to use that

02:43

so what would happen is well the PIP

02:46

line it can use the service connection

02:48

it knows the app registration now

02:50

there's other bits of detail about the

02:51

client ID Etc but fundamentally it knows

02:54

the detail to be able to use this secret

02:57

so it would send that detail to ENT so

03:01

it's sending hey at Bridge one it's

03:02

sending the secret this will now

03:05

generate an access

03:07

token give it to my Pipeline and now my

03:11

pipeline can take that access token and

03:14

use it

03:16

against the management endpoint for the

03:19

Azure resource manager and again this

03:23

app registration would be given certain

03:25

roles on

03:26

here and we can see this so if we

03:29

quickly jump over so if we go and look

03:32

if I look in my Azure devops environment

03:34

I have two service connections but we'll

03:37

look at this first

03:39

one and we can see it's got a certain

03:43

name ay devops for Dev and notice it's

03:46

giving us this little notification hey

03:48

you could convert this for improved

03:51

security and simplified maintenance but

03:53

we'll come back to that and what this

03:56

represents is this at registration which

04:01

again is a service principle but the key

04:03

Point here is it it has this secret it

04:06

has this certain secret which has a

04:08

certain value it has a certain expiry

04:11

date so there's a certain amount of now

04:14

work in terms of the rotation of that

04:18

the good news is there's somewhat

04:20

automated for us by Azure devops but it

04:23

exists like this is not an ideal

04:26

scenario to have these things existing

04:29

and so when we think about this all up

04:31

solution the idea of having this

04:34

secret we really just don't like it we

04:38

would like to get rid we give this a

04:39

frowny face because hey how do I Ure the

04:43

security someone else doesn't use that

04:46

secret and do something as that identity

04:49

against our Azure resource manager and

04:51

those resources and again I have to

04:53

think well it has a certain expiry

04:55

there's certain rotation so there's

04:57

management tasks associated with that

05:01

which in an Ideal World I really just

05:04

don't want to have to deal with um and

05:07

so what what can we do better and so the

05:11

most secure way is well let's just get

05:13

rid of this secret and that's the whole

05:16

idea of the identity Federation and so

05:20

let's look at what we can do with that

05:22

now we have our same actors again so I'm

05:24

going to have to quickly redraw so once

05:26

again we have the idea of aure over here

05:30

and I still can't really draw that logo

05:32

very

05:34

well once again we have our ENT

05:41

tenant and then once again we'll have

05:43

our Azure devops so we have the same

05:45

actors nothing is

05:47

changing with regards to the components

05:51

that are being

05:53

used but this time we want to try and

05:56

avoid having to have that secret that's

05:58

the key point point of this and so what

06:01

we're going to leverage now is open ID

06:03

connect so open ID connect sits on top

06:06

of aarf 2 ooff 2 is really an

06:09

authorization protocol we use it to say

06:12

hey I'm going to allow this certain

06:14

service to act on my behalf against this

06:17

target resource I own it's about

06:20

delegated authorization IE Facebook can

06:23

access my photos on this Photograph

06:26

cloud service well open ID connect is

06:29

all about authentication and providing

06:32

some proof of I am who I say I am it's

06:36

Al always ajon web token we say it as a

06:39

jot even though it's

06:40

JWT and it has header it has claims we

06:43

can crack this open and look at it but

06:47

it's going to provide authenticity from

06:50

the issuer by virtue of the fact it has

06:52

a signature and there are well-known end

06:54

points I can go and check hey for this

06:56

issuer which certificates are they using

06:58

so I can prove hey it really is coming

07:01

through it says it is and GitHub I did a

07:04

video on this in the past about GitHub

07:07

and its use of open ID connect

07:09

Federation so I don't have to maintain

07:11

Secrets there well now we have it here

07:14

as well with Azure devops and so the

07:17

point is because Azure devops is so

07:20

integrated with ENT or Azure IDE as it

07:23

was formerly known already I don't

07:25

actually have to do anything in most

07:28

cases for that initial configuration so

07:31

what we have available to us is we have

07:34

this open ID

07:37

connect

07:39

Federation that we are going to

07:43

leverage and so how are we going to

07:46

leverage this now the point is we are

07:50

going to go ahead and we're going to

07:52

create a new workload identity

07:55

Federation based service connection and

07:58

so I'm going to say hey I want to

08:01

leverage this

08:03

new

08:04

um workload identity

08:08

Federation service

08:12

connection now when I do this it's still

08:15

now going to go ahead and

08:19

create an app registration that

08:22

represents this I.E behind the scenes

08:24

there is a service principal now what

08:27

that means is the person

08:29

creating this service connection has to

08:33

have the permission to create an app

08:36

registration in that tenant now I have

08:38

to do that anyway if I was using the old

08:40

Secrets based approach But realize hey I

08:43

have to have this permission now later

08:45

on we'll talk about well if I can't do

08:47

that there is a way to use managed

08:49

identity as well so we we'll come back

08:51

to that later on but what it's going to

08:53

do is it's going to go ahead and create

08:55

this app registration but this app

08:58

registration is now going to have a

09:00

federation

09:02

link to this particular service

09:06

connection uh and so let's take a look

09:08

at that so if we jump over we're now

09:12

going to look at this second um actually

09:15

let go back over here I have another

09:17

service

09:19

connection and notice on this service

09:22

connection it's telling me hey I am

09:24

using workload identity Federation with

09:27

open ID connect

09:30

and if I go and look at the app

09:31

registration for this well the first

09:33

thing we'll notice is there are no

09:36

secrets there's no certificate there is

09:38

no secret all we have is this Federated

09:42

credential and if we go and look at it

09:45

we'll see some interesting

09:47

things so the things we're going to

09:49

focus on here is the

09:51

issuer is voken dod. azure.com so what's

09:55

happening here is azure devops is going

09:57

to issue us this identity

10:00

token it has a subject identifier so

10:05

this is the name of my or the name of my

10:08

project and the name of my service

10:11

connection and when it's talking to

10:13

entra for know as Azure ad its

10:17

audience is the Azure ad token exchange

10:21

they're obviously not renaming that to

10:23

entra they probably never will um but

10:26

those are key pieces of information so

10:28

what this is telling is

10:31

for this app registration it has been

10:35

linked to this service connection now as

10:37

part of that remember so this is now an

10:39

issuer so this has the ability to issue

10:42

identity tokens and that issuer is this

10:46

vs

10:47

token

10:49

dodev do

10:52

azure.com

10:54

so this as part of that communication is

10:56

going to be the issuer and obviously it

10:59

had that

11:01

subject

11:03

identifier as well which had that

11:05

breakdown of those

11:08

components so now we have that key

11:10

information again it's going to go and

11:11

talk to hey I want to exchange this for

11:14

that Azure ad token

11:16

exchange so what will happen now if

11:19

entra receives an identity

11:22

token that hey comes from this issuer

11:25

has that subject ID that has been

11:27

configured and the audience is that

11:29

token exchange it can now go and give it

11:31

an access token so let's walk through

11:35

what that flow actually looks

11:38

like so once again I'm going to have a

11:40

pipeline nothing is changing there so

11:43

I'm going to go ahead and I've got my

11:45

particular

11:50

pipeline now one thing we have to do is

11:54

this particular service

11:57

connection

11:59

we're going to give

12:03

permission very rarely will we say hey

12:05

all pipelines can use it so we will at

12:08

very specific levels say hey this

12:11

pipeline is allowed to use this so if we

12:14

were to go back for a

12:16

second and have a look at the security

12:19

so I'm up here at the top clicking the

12:21

little three dots and then looking at

12:25

security we'll see the

12:27

option for hey no permitted

12:30

pipelines we have open access but we're

12:33

not going to do that instead if we click

12:36

plus I can select the particular

12:38

pipelines that I want to be allowed to

12:41

use this service connection which could

12:44

then act on that behalf so that's one of

12:46

the the key things we do we still have

12:48

full control over which particular

12:50

pipelines are allowed to do

12:53

this so what's going to now happen this

12:56

pipeline runs and there's tasks in there

12:59

that need to use that service

13:01

connection so what it's going to

13:04

do is it's going to talk to this as kind

13:08

of its local identity provider and it's

13:10

going to say hey um I need a token

13:15

please this is kind of step

13:17

one because it has permission to act as

13:20

that it's going to generate that

13:21

identity

13:23

token and return it to the

13:26

pipeline the pipeline will now take that

13:30

identity

13:31

token and it's going to go and pass

13:35

it to entra and what it's asking for now

13:40

is hey I would like an access

13:43

token but before this happens before it

13:46

gets the access token entra will

13:49

actually

13:51

validate now there are well-known end

13:55

points for the open ID connect so we

13:59

know it came the issue was at VST token.

14:01

d. azure.com and so what I can do is I

14:05

can go to that

14:07

URL and then we add onto it wellknown

14:11

openen ID

14:13

configuration and it tells us what what

14:15

do we

14:16

support So this scope is only open ID we

14:20

can see subject types and what we can

14:22

see

14:22

here is well this is the

14:26

detail about the actual certificates

14:29

that it's using so what entry is going

14:31

to do is go to that well-known point and

14:34

it can see all of the keys the

14:36

certificates has been used for the

14:37

signing so that will let it confirm okay

14:40

yeah this this is

14:42

valid this is who it says it is so at

14:46

this point once it's done that

14:48

validation

14:49

now it will create the access

14:55

token return the access token and now

14:58

great now the pipeline can take the

15:00

access token and send

15:03

it along with its request to the

15:05

management. azure.com

15:08

I.E the endpoint where I'm going to

15:11

perform operations against the Azure

15:12

resource manager and again the key idea

15:16

here is this app

15:18

registration will be given Ro based

15:21

Access Control here so whatever that app

15:24

registration is at a subscription level

15:27

or Resource Group level whatever I want

15:30

there will be role-based Access Control

15:33

giving hey app registration because

15:35

that's who the token is this access

15:38

token is the app registration one that

15:40

service principle hey app regge has um

15:44

contributor for example again we always

15:47

think least privilege um the least rol

15:49

is required to do what it needs to do

15:52

but now it will be out to go and perform

15:53

those operations and so if we looked at

15:56

this we would see in the Azure

16:00

subscription we'll see those

16:05

various service principles in this case

16:08

have the contributor

16:10

right and that's the

16:12

flow now when I was going to go ahead

16:15

and create one of these if we went back

16:17

a

16:18

step so if I'm looking at all of these

16:20

if I just want to do a new service

16:22

connection and I want to talk to

16:26

arm it's default

16:29

is hey workload identity Federation

16:33

automatic and from there all I have to

16:35

do is Select well what is my target is

16:38

it subscription is it Management Group I

16:40

could optionally add in a certain

16:41

Resource Group so I I can select these

16:44

details give it a name a description

16:47

again I don't typically do this grant

16:50

access to all pipelines I would rather

16:52

go in and add it to the specific ones I

16:55

want but this would just go ahead and

16:58

create

16:59

that service connection and again that

17:01

would go and create the service

17:02

principle that app registration and it

17:04

would set up all of those Federation

17:07

goodness things for

17:10

me now what if I already

17:13

have ones that are using the secrets

17:17

today well exactly as you can see here

17:19

when I look at one of them it has a

17:22

convert button I can just hit convert

17:25

and it will convert it to use now that

17:28

workload identity Federation it's super

17:31

easy to do and if you look at the

17:34

documentation it even has

17:36

scripts that will walk through bulk

17:39

doing those conversions for you and

17:42

there's information all over the place

17:44

so there's kind of a learn

17:46

more and it talks about hey how we want

17:48

to use these

17:50

things and then it's got hey multiple

17:53

conversions with a script so it's all

17:56

there it's all uh trying to help you

17:58

with that now I did mention One

18:02

Challenge you may face is if you're not

18:04

allowed to create app

18:06

registrations and so additionally I can

18:08

use managed identities which is a

18:10

different type of it's just a special

18:13

service principle fundamentally and the

18:16

only thing different here is that if we

18:18

went ahead and looked if I look at a

18:21

managed

18:24

identity so I've got a user assign

18:26

managed identity and I'm just going to

18:28

look up one of them doesn't matter which

18:29

one we do have this option for Federated

18:34

credentials so I can go ahead and

18:37

add a Federated credential so I'm going

18:39

to select this other option but notice

18:42

it has hooks into GitHub actions and

18:45

kubernetes now notice it's asking for

18:47

the issuer URL and the subject

18:49

identifier notice by default it's

18:52

putting in the right hey we want the API

18:55

Azure ad token exchange and I would give

18:57

a name name for this credential so

19:00

there's really two parts to this I don't

19:02

know this issue a URL and subject

19:04

identifier

19:05

yet and there's also some information I

19:07

would need from this managed identity

19:11

because I'm going to need this sort of

19:13

tenant ID and the client ID data that it

19:16

gives me over here on the right because

19:20

all I have to do in Azure devops if I do

19:24

no I can

19:27

say well Cloe identity Federation

19:33

manual I would give it a name do

19:36

test and then it's giving me this is the

19:39

issuer so this is the issuer value what

19:42

I'd have to put in for the manage

19:43

identity this is the subject identifier

19:46

I would have to put

19:48

in I can then tell it the scope level I

19:52

want and this is where I would put in

19:53

the details from the managed identity

19:56

that client ID value and the tenant ID

19:59

that it showed me so I would populate

20:02

these values in kind of both the spaces

20:05

and now I'm using managed identity

20:07

instead of a service principal so I

20:08

still get all the benefit that there is

20:10

no secret that exists I'm not having to

20:13

worry about any of that but hey if I

20:16

can't create an app registration I can

20:18

use manage identity so there you have it

20:22

I mean fundamentally this boils down to

20:24

the fact that we don't like Secrets when

20:27

we think about for users we like

20:29

password list we want to get rid of that

20:31

password and use password list

20:33

Technologies well the same applies to

20:35

everything I want to get rid of Secrets

20:37

I have to store I have to worry about

20:39

the maintenance of and so instead of

20:42

this scenario where we have that secret

20:45

when we move to the Federation scenario

20:49

there is no secret we're using that open

20:51

ID connect Federation capability that

20:54

hey I'll get that identity token I can

20:57

exchange it once that's validated it's

20:59

been signed by the right place we can

21:01

specifically give certain pipelines

21:02

permission to use certain service

21:04

connections I can then give it to entra

21:07

it will give me an Access token and then

21:09

I get whatever roles I've granted that

21:12

service

21:13

principal so there's nothing hugely new

21:16

here than what we've done in the past

21:17

with service connections and Azure

21:18

devops it's just now we have this great

21:20

option to remove the secret and again we

21:23

can do that individual convert existing

21:26

ones or we can use the script to bulk

21:29

convert if I can't create app

21:31

registrations hey I can use manage

21:33

identities as well I hope that was

21:35

useful till next video take

21:54

care