{"id":41513,"date":"2023-10-31T00:58:37","date_gmt":"2023-10-31T07:58:37","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/premier-developer\/?p=41513"},"modified":"2023-10-30T16:12:09","modified_gmt":"2023-10-30T23:12:09","slug":"azure-devops-workload-identity-federation","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/premier-developer\/azure-devops-workload-identity-federation\/","title":{"rendered":"Azure DevOps Workload Identity Federation"},"content":{"rendered":"<p>With the recent arrival of the\u00a0<a href=\"https:\/\/devblogs.microsoft.com\/devops\/public-preview-of-workload-identity-federation-for-azure-pipelines\/\">Public preview of Workload identity federation for Azure Pipelines<\/a>, you may be wondering how to efficiently migrate dozens or even hundreds of ARM Service Connections to take advantage of these benefits.\u00a0 In this post, <a href=\"https:\/\/www.linkedin.com\/in\/emmanuelknafo\/\">Emmanuel Knafo<\/a> dives right in.<\/p>\n<hr \/>\n<h2 id=\"updating-your-azure-devops-arm-service-connections-to-use-the-recommended-workload-identity-federation\">Updating Your Azure DevOps ARM Service Connections To Use The Recommended Workload Identity Federation<\/h2>\n<p>With the recent arrival of the\u00a0<a href=\"https:\/\/devblogs.microsoft.com\/devops\/public-preview-of-workload-identity-federation-for-azure-pipelines\/\">Public preview of Workload identity federation for Azure Pipelines<\/a>, you may be wondering how to efficiently migrate my dozens or even hundreds of ARM Service Connections to take advantage of these main benefits:<\/p>\n<ul>\n<li><strong>Simplified management<\/strong>: You do not need to generate, copy, and store secrets from service principals in Azure Entra ID to Azure DevOps anymore. Secrets that are used in other authentication schemes of Azure service connections (e.g., service principal) expire after a certain period (2 years currently). When they expire, pipelines fail. You have to generate a new secret and update the service connection. Switching to workload identity federation eliminates the need to manage these secrets and improves the overall experience of creating and managing service connections.<\/li>\n<li><strong>Improved security<\/strong>: With workload identity federation, the federation subject\u00a0<code>sc:\/\/&lt;org&gt;\/&lt;project&gt;\/&lt;service connection name&gt;<\/code>\u00a0uniquely identifies what the identity can be used for, which provides a better constraint than a (shared) secret. There is no persistent secret involved in the communication between Azure Pipelines and Azure. As a result, tasks running in pipeline jobs cannot leak or exfiltrate secrets that have access to your production environments. This has often been a concern for our customers.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2023\/10\/recommended_authentication_method-1024x526-1.png\"><img decoding=\"async\" class=\"alignnone size-full wp-image-41514\" src=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2023\/10\/recommended_authentication_method-1024x526-1.png\" alt=\"Image recommended authentication method 1024 215 526\" width=\"1024\" height=\"526\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2023\/10\/recommended_authentication_method-1024x526-1.png 1024w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2023\/10\/recommended_authentication_method-1024x526-1-300x154.png 300w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2023\/10\/recommended_authentication_method-1024x526-1-768x395.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/blog.devopsabcs.com\/index.php\/2023\/09\/23\/azure-devops-workload-identity-federation\/\">Check out the full post here to start learning<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>With the recent arrival of the\u00a0Public preview of Workload identity federation for Azure Pipelines, you may be wondering how to efficiently migrate dozens or even hundreds of ARM Service Connections to take advantage of these benefits.\u00a0 In this post, Emmanuel Knafo dives right in. Updating Your Azure DevOps ARM Service Connections To Use The Recommended [&hellip;]<\/p>\n","protected":false},"author":582,"featured_media":41515,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[2571,10647],"class_list":["post-41513","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-permierdev","tag-azure-devops","tag-workload-identity-federation"],"acf":[],"blog_post_summary":"<p>With the recent arrival of the\u00a0Public preview of Workload identity federation for Azure Pipelines, you may be wondering how to efficiently migrate dozens or even hundreds of ARM Service Connections to take advantage of these benefits.\u00a0 In this post, Emmanuel Knafo dives right in. Updating Your Azure DevOps ARM Service Connections To Use The Recommended [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/41513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/users\/582"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/comments?post=41513"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/41513\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media\/41515"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media?parent=41513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/categories?post=41513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/tags?post=41513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}