3

Is there any way how can I add Azure Managed Identity to VM agent running my Azure DevOps pipeline? I want to be able to run curl command inside bash task and obtain the access token.

The command I want to run inside a pipeline is similar to this one, as per Microsoft Docs page

curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F&client_id=$(IDENTITY)' -H Metadata:true -s

I know I can use various builtin tasks for Azure authentication, but none of them (up to my knowledge) is enabling to query metadata service.

My idea would be to have some ADO task which will add managed identity to a VM where the task is running. Once a pipeline (actually an agent) finishes all my tasks, then managed identity will be removed. Managed identity can be for example specified via service principal. Is this existing or is it possible at all?

Currently, I am using these two approaches, but both of them look a bit overkill for such a small task:

  • I have private ADO agents pool and these machines have preconfigured managed identity I can use (I cannot configure it in the pipeline later)
  • I use a combination of two pipelines
    • the helper pipeline that is provisioning and cleaning custom VMs and
    • the primary pipeline which is configuring these custom VMs (accesses via service connection) and then running my bash code on them
Igor
  • 1,349
  • 12
  • 25
  • This is related to similar (and unanswered) [question](https://stackoverflow.com/questions/56861259/use-managed-identities-in-azure-devops-build-pipeline?rq=1), but I want to use user-assigned managed identity. – Igor Apr 13 '20 at 09:56

1 Answers1

1

My idea would be to have some ADO task which will add managed identity to a VM where the task is running. Once a pipeline (actually an agent) finishes all my tasks, then managed identity will be removed. Managed identity can be for example specified via service principal. Is this existing or is it possible at all?

Sorry but I'm afraid this is not supported. There's no such out-of-box task in Azure Devops (even in VS marketplace) to achieve this requirement (add/remove managed identity in VM).

Also, Managed identity can't be specified via service principal cause these two features are different technologies. For more details you can refer to this blog. So it's impossible to specify Managed Identity via Service Principal.

As one suggestion, you can make request for the feature (An official task to control Managed Identidy in one VM) you want on our UserVoice site, which is our main forum for product suggestions. After raising the suggestion, you can vote and add your comments there. The product team would provide the updates if they view it. Thank you for helping us build a better Azure DevOps.

LoLance
  • 25,666
  • 1
  • 39
  • 73