Added environment variable AZURESUBSCRIPTION_SERVICE_CONNECTION_ID for AzureCLIV2 and AzurePowerShellV5 for WIF auth flow

Author: starkmsu

Tasks/AzureCLIV2/azureclitask.ts

@@ -33,6 +33,8 @@ export class azureclitask {
             var connectedService: string = tl.getInput("connectedServiceNameARM", true);
             await this.loginAzureRM(connectedService);
 
+            process.env.AZURESUBSCRIPTION_SERVICE_CONNECTION_ID = connectedService;
+
             let errLinesCount: number = 0;
             let aggregatedErrorLines: string[] = [];
             tool.on('errline', (errorLine: string) => {
@@ -100,16 +102,16 @@ export class azureclitask {
               if (typeof toolExecutionError === 'string') {
                 const expiredSecretErrorCode = 'AADSTS7000222';
                 let serviceEndpointSecretIsExpired = toolExecutionError.indexOf(expiredSecretErrorCode) >= 0;
-                
+
                 if (serviceEndpointSecretIsExpired) {
                   const organizationURL = tl.getVariable('System.CollectionUri');
                   const projectName = tl.getVariable('System.TeamProject');
                   const serviceConnectionLink = encodeURI(`${organizationURL}${projectName}/_settings/adminservices?resourceId=${connectedService}`);
-      
+
                   message = tl.loc('ExpiredServicePrincipalMessageWithLink', serviceConnectionLink);
                 }
               }
-      
+
               tl.setResult(tl.TaskResult.Failed, message);
             } else if (exitCode != 0){
                 tl.setResult(tl.TaskResult.Failed, tl.loc("ScriptFailedWithExitCode", exitCode));
@@ -122,6 +124,8 @@ export class azureclitask {
             if (this.isLoggedIn) {
                 this.logoutAzure();
             }
+
+            process.env.AZURESUBSCRIPTION_SERVICE_CONNECTION_ID = '';
         }
     }
 

Tasks/AzureCLIV2/task.json

@@ -19,8 +19,8 @@
     "demands": [],
     "version": {
         "Major": 2,
-        "Minor": 238,
-        "Patch": 4
+        "Minor": 239,
+        "Patch": 0
     },
     "minimumAgentVersion": "2.0.0",
     "instanceNameFormat": "Azure CLI $(scriptPath)",

Tasks/AzureCLIV2/task.loc.json

@@ -19,8 +19,8 @@
   "demands": [],
   "version": {
     "Major": 2,
-    "Minor": 238,
-    "Patch": 4
+    "Minor": 239,
+    "Patch": 0
   },
   "minimumAgentVersion": "2.0.0",
   "instanceNameFormat": "ms-resource:loc.instanceNameFormat",

Tasks/AzurePowerShellV5/AzurePowerShell.ps1

@@ -195,6 +195,7 @@ finally {
     . "$PSScriptRoot\Utility.ps1"
     Import-Module "$PSScriptRoot\ps_modules\VstsAzureHelpers_"
     Remove-EndpointSecrets
+    $env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID = ''
     Update-PSModulePathForHostedAgent
     Disconnect-AzureAndClearContext -restrictContext 'True' -ErrorAction SilentlyContinue
 }

Tasks/AzurePowerShellV5/CoreAz.ps1

@@ -29,4 +29,6 @@ $endpointObject =  ConvertFrom-Json  $endpoint
 Import-Module "$PSScriptRoot\ps_modules\VstsAzureHelpers_"
 $encryptedToken = ConvertTo-SecureString $vstsAccessToken -AsPlainText -Force
 Initialize-AzModule -Endpoint $endpointObject -connectedServiceNameARM $connectedServiceNameARM `
-    -azVersion $targetAzurePs -isPSCore $isPSCore -encryptedToken $encryptedToken
+    -azVersion $targetAzurePs -isPSCore $isPSCore -encryptedToken $encryptedToken
+
+$env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID = $connectedServiceNameARM

Tasks/AzurePowerShellV5/InitializeAz.ps1

@@ -6,7 +6,9 @@ param
     [String] [Parameter(Mandatory = $false)]
     $targetAzurePs,
     [String] [Parameter(Mandatory = $false)]
-    $clientAssertionJwt
+    $clientAssertionJwt,
+    [String] [Parameter(Mandatory = $false)]
+    $serviceConnectionId
 )
 
 $endpointObject =  ConvertFrom-Json  $endpoint
@@ -115,6 +117,8 @@ elseif ($endpointObject.scheme -eq 'WorkloadIdentityFederation') {
         Write-Host "##[command] Set-AzContext -SubscriptionId $($endpointObject.subscriptionID) -TenantId $($endpointObject.tenantId)"
         $null = Set-AzContext -SubscriptionId $endpointObject.subscriptionID -TenantId $endpointObject.tenantId
     }
+
+    $env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID = $serviceConnectionId
 }
 else {
     #  Provide an additional, custom, credentials-related error message. Will handle localization later

Tasks/AzurePowerShellV5/azurepowershell.ts

@@ -83,7 +83,7 @@ async function run() {
         }
         if (endpointObject.scheme === 'WorkloadIdentityFederation') {
             const oidc_token = await endpointObject.applicationTokenCredentials.getFederatedToken();
-            initAzCommand += ` -clientAssertionJwt  ${oidc_token}`;
+            initAzCommand += ` -clientAssertionJwt ${oidc_token} -serviceConnectionId ${serviceName}`;
         }
         contents.push(initAzCommand);
 
@@ -171,6 +171,8 @@ async function run() {
                 .arg('-Command')
                 .arg(`. '${path.join(path.resolve(__dirname),'RemoveAzContext.ps1')}'`);
 
+            process.env.AZURESUBSCRIPTION_SERVICE_CONNECTION_ID = '';
+
             let options = <tr.IExecOptions>{
                     cwd: input_workingDirectory,
                     failOnStdErr: false,

Tasks/AzurePowerShellV5/task.json

@@ -18,7 +18,7 @@
   "version": {
     "Major": 5,
     "Minor": 239,
-    "Patch": 0
+    "Patch": 2
   },
   "releaseNotes": "Added support for Az Module and cross platform agents.",
   "groups": [

Tasks/AzurePowerShellV5/task.loc.json

@@ -18,7 +18,7 @@
   "version": {
     "Major": 5,
     "Minor": 239,
-    "Patch": 0
+    "Patch": 2
   },
   "releaseNotes": "ms-resource:loc.releaseNotes",
   "groups": [

_generated/AzureCLIV2.versionmap.txt

@@ -1,2 +1,2 @@
-Default|2.238.4
-Node20_229_2|2.238.5
+Default|2.239.0
+Node20_229_2|2.239.1

_generated/AzureCLIV2/azureclitask.ts

@@ -33,6 +33,8 @@ export class azureclitask {
             var connectedService: string = tl.getInput("connectedServiceNameARM", true);
             await this.loginAzureRM(connectedService);
 
+            process.env.AZURESUBSCRIPTION_SERVICE_CONNECTION_ID = connectedService;
+
             let errLinesCount: number = 0;
             let aggregatedErrorLines: string[] = [];
             tool.on('errline', (errorLine: string) => {
@@ -100,16 +102,16 @@ export class azureclitask {
               if (typeof toolExecutionError === 'string') {
                 const expiredSecretErrorCode = 'AADSTS7000222';
                 let serviceEndpointSecretIsExpired = toolExecutionError.indexOf(expiredSecretErrorCode) >= 0;
-                
+
                 if (serviceEndpointSecretIsExpired) {
                   const organizationURL = tl.getVariable('System.CollectionUri');
                   const projectName = tl.getVariable('System.TeamProject');
                   const serviceConnectionLink = encodeURI(`${organizationURL}${projectName}/_settings/adminservices?resourceId=${connectedService}`);
-      
+
                   message = tl.loc('ExpiredServicePrincipalMessageWithLink', serviceConnectionLink);
                 }
               }
-      
+
               tl.setResult(tl.TaskResult.Failed, message);
             } else if (exitCode != 0){
                 tl.setResult(tl.TaskResult.Failed, tl.loc("ScriptFailedWithExitCode", exitCode));
@@ -122,6 +124,8 @@ export class azureclitask {
             if (this.isLoggedIn) {
                 this.logoutAzure();
             }
+
+            process.env.AZURESUBSCRIPTION_SERVICE_CONNECTION_ID = '';
         }
     }
 

_generated/AzureCLIV2/task.json

@@ -19,8 +19,8 @@
   "demands": [],
   "version": {
     "Major": 2,
-    "Minor": 238,
-    "Patch": 4
+    "Minor": 239,
+    "Patch": 0
   },
   "minimumAgentVersion": "2.0.0",
   "instanceNameFormat": "Azure CLI $(scriptPath)",
@@ -204,7 +204,7 @@
     "ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at\u00A0%s See\u00A0https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections."
   },
   "_buildConfigMapping": {
-    "Default": "2.238.4",
-    "Node20_229_2": "2.238.5"
+    "Default": "2.239.0",
+    "Node20_229_2": "2.239.1"
   }
 }

_generated/AzureCLIV2/task.loc.json

@@ -19,8 +19,8 @@
   "demands": [],
   "version": {
     "Major": 2,
-    "Minor": 238,
-    "Patch": 4
+    "Minor": 239,
+    "Patch": 0
   },
   "minimumAgentVersion": "2.0.0",
   "instanceNameFormat": "ms-resource:loc.instanceNameFormat",
@@ -204,7 +204,7 @@
     "ExpiredServicePrincipalMessageWithLink": "ms-resource:loc.messages.ExpiredServicePrincipalMessageWithLink"
   },
   "_buildConfigMapping": {
-    "Default": "2.238.4",
-    "Node20_229_2": "2.238.5"
+    "Default": "2.239.0",
+    "Node20_229_2": "2.239.1"
   }
 }

_generated/AzureCLIV2_Node20/azureclitask.ts

@@ -33,6 +33,8 @@ export class azureclitask {
             var connectedService: string = tl.getInput("connectedServiceNameARM", true);
             await this.loginAzureRM(connectedService);
 
+            process.env.AZURESUBSCRIPTION_SERVICE_CONNECTION_ID = connectedService;
+
             let errLinesCount: number = 0;
             let aggregatedErrorLines: string[] = [];
             tool.on('errline', (errorLine: string) => {
@@ -100,16 +102,16 @@ export class azureclitask {
               if (typeof toolExecutionError === 'string') {
                 const expiredSecretErrorCode = 'AADSTS7000222';
                 let serviceEndpointSecretIsExpired = toolExecutionError.indexOf(expiredSecretErrorCode) >= 0;
-                
+
                 if (serviceEndpointSecretIsExpired) {
                   const organizationURL = tl.getVariable('System.CollectionUri');
                   const projectName = tl.getVariable('System.TeamProject');
                   const serviceConnectionLink = encodeURI(`${organizationURL}${projectName}/_settings/adminservices?resourceId=${connectedService}`);
-      
+
                   message = tl.loc('ExpiredServicePrincipalMessageWithLink', serviceConnectionLink);
                 }
               }
-      
+
               tl.setResult(tl.TaskResult.Failed, message);
             } else if (exitCode != 0){
                 tl.setResult(tl.TaskResult.Failed, tl.loc("ScriptFailedWithExitCode", exitCode));
@@ -122,6 +124,8 @@ export class azureclitask {
             if (this.isLoggedIn) {
                 this.logoutAzure();
             }
+
+            process.env.AZURESUBSCRIPTION_SERVICE_CONNECTION_ID = '';
         }
     }
 

_generated/AzureCLIV2_Node20/task.json

@@ -19,8 +19,8 @@
   "demands": [],
   "version": {
     "Major": 2,
-    "Minor": 238,
-    "Patch": 5
+    "Minor": 239,
+    "Patch": 1
   },
   "minimumAgentVersion": "2.0.0",
   "instanceNameFormat": "Azure CLI $(scriptPath)",
@@ -208,7 +208,7 @@
     "ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at\u00A0%s See\u00A0https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections."
   },
   "_buildConfigMapping": {
-    "Default": "2.238.4",
-    "Node20_229_2": "2.238.5"
+    "Default": "2.239.0",
+    "Node20_229_2": "2.239.1"
   }
 }

_generated/AzureCLIV2_Node20/task.loc.json

@@ -19,8 +19,8 @@
   "demands": [],
   "version": {
     "Major": 2,
-    "Minor": 238,
-    "Patch": 5
+    "Minor": 239,
+    "Patch": 1
   },
   "minimumAgentVersion": "2.0.0",
   "instanceNameFormat": "ms-resource:loc.instanceNameFormat",
@@ -208,7 +208,7 @@
     "ExpiredServicePrincipalMessageWithLink": "ms-resource:loc.messages.ExpiredServicePrincipalMessageWithLink"
   },
   "_buildConfigMapping": {
-    "Default": "2.238.4",
-    "Node20_229_2": "2.238.5"
+    "Default": "2.239.0",
+    "Node20_229_2": "2.239.1"
   }
 }

_generated/AzurePowerShellV5.versionmap.txt

@@ -1,2 +1,2 @@
-Default|5.239.0
-Node20_229_2|5.239.1
+Default|5.239.2
+Node20_229_2|5.239.3

_generated/AzurePowerShellV5/AzurePowerShell.ps1

@@ -195,6 +195,7 @@ finally {
     . "$PSScriptRoot\Utility.ps1"
     Import-Module "$PSScriptRoot\ps_modules\VstsAzureHelpers_"
     Remove-EndpointSecrets
+    $env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID = ''
     Update-PSModulePathForHostedAgent
     Disconnect-AzureAndClearContext -restrictContext 'True' -ErrorAction SilentlyContinue
 }

_generated/AzurePowerShellV5/CoreAz.ps1

@@ -29,4 +29,6 @@ $endpointObject =  ConvertFrom-Json  $endpoint
 Import-Module "$PSScriptRoot\ps_modules\VstsAzureHelpers_"
 $encryptedToken = ConvertTo-SecureString $vstsAccessToken -AsPlainText -Force
 Initialize-AzModule -Endpoint $endpointObject -connectedServiceNameARM $connectedServiceNameARM `
-    -azVersion $targetAzurePs -isPSCore $isPSCore -encryptedToken $encryptedToken
+    -azVersion $targetAzurePs -isPSCore $isPSCore -encryptedToken $encryptedToken
+
+$env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID = $connectedServiceNameARM

_generated/AzurePowerShellV5/InitializeAz.ps1

@@ -6,7 +6,9 @@ param
     [String] [Parameter(Mandatory = $false)]
     $targetAzurePs,
     [String] [Parameter(Mandatory = $false)]
-    $clientAssertionJwt
+    $clientAssertionJwt,
+    [String] [Parameter(Mandatory = $false)]
+    $serviceConnectionId
 )
 
 $endpointObject =  ConvertFrom-Json  $endpoint
@@ -115,6 +117,8 @@ elseif ($endpointObject.scheme -eq 'WorkloadIdentityFederation') {
         Write-Host "##[command] Set-AzContext -SubscriptionId $($endpointObject.subscriptionID) -TenantId $($endpointObject.tenantId)"
         $null = Set-AzContext -SubscriptionId $endpointObject.subscriptionID -TenantId $endpointObject.tenantId
     }
+
+    $env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID = $serviceConnectionId
 }
 else {
     #  Provide an additional, custom, credentials-related error message. Will handle localization later

_generated/AzurePowerShellV5/azurepowershell.ts

@@ -83,7 +83,7 @@ async function run() {
         }
         if (endpointObject.scheme === 'WorkloadIdentityFederation') {
             const oidc_token = await endpointObject.applicationTokenCredentials.getFederatedToken();
-            initAzCommand += ` -clientAssertionJwt  ${oidc_token}`;
+            initAzCommand += ` -clientAssertionJwt ${oidc_token} -serviceConnectionId ${serviceName}`;
         }
         contents.push(initAzCommand);
 
@@ -171,6 +171,8 @@ async function run() {
                 .arg('-Command')
                 .arg(`. '${path.join(path.resolve(__dirname),'RemoveAzContext.ps1')}'`);
 
+            process.env.AZURESUBSCRIPTION_SERVICE_CONNECTION_ID = '';
+
             let options = <tr.IExecOptions>{
                     cwd: input_workingDirectory,
                     failOnStdErr: false,

_generated/AzurePowerShellV5/task.json

@@ -18,7 +18,7 @@
   "version": {
     "Major": 5,
     "Minor": 239,
-    "Patch": 0
+    "Patch": 2
   },
   "releaseNotes": "Added support for Az Module and cross platform agents.",
   "groups": [
@@ -204,7 +204,7 @@
     "PS_ExitCode": "PowerShell exited with code '{0}'."
   },
   "_buildConfigMapping": {
-    "Default": "5.239.0",
-    "Node20_229_2": "5.239.1"
+    "Default": "5.239.2",
+    "Node20_229_2": "5.239.3"
   }
 }