Yes you read the topic right. Microsoft has released a long waited feature, that allows us to create static service connections. These connections does not expire after two years and even better, they are more secure and easy to use. Until today we had few options, when we wanted to connect our precious Azure resources with our Azure DevOps instance. Main way was to create a new service connection into Azure DevOps, that stored a shared secret between Azure AD (now Microsoft Entra) and Azure DevOps. Other way was to manually create this secret and copy-paste it into Azure DevOps. These both worked decently, but the problem was that the secret expired after two years and that made the next release pipeline run fail. Of course the best part was, that the expired connection was brought into day light when the release date was in hand and the pipeline did not work.
Well all this can be left behind now, because we have this new feature called “Workload identity federation in Azure Pipelines (public preview)”… Wow that’s a mouthful! What it tries to express is, that you can now use Open ID Connect to authenticate with Microsoft Entra (ex. Azure AD) to protect the resources without needing to manage secrets. Same in plain english: You don’t have to care anymore.
How to upgrade existing service connections
Luckily Microsoft has been kind enough to implement an upgrade route from existing secret based service connections into this new workload identity thingy. To upgrade existing service connection navigate into Service connection page (you can find it at project settings…), click any of the existing service connection and you should have following dialog on top of the page. Click Convert and ignore the warning about end of the world.
After waiting for few long seconds, you should get notification, that every thing is fine in life and you can continue to do other important work. To get more content into this blog post, let’s see what happened behind the scene.
After refreshing the service connection page we can see, that ARM connection is using the new openid connect.
At Azure portal we can verify that new connection has Federated credentials, which connects the Azure DevOps and Microsoft Entra enterprise app.
How to create new service connections with WIFIAP (yes it is acronym)
Creating a new service connection with WIFIAP works just like normal service connections did. You click new service connection and go with the default setting that is “Workload identity federation”. Fill subcription, resource group, connection name and you are good to go.
