Add experimental feature to AzureCLIV2 which keeps the session running in the background in the case of ARM service connections with workload identity federation scheme (#19989)

kboom · web-flow · commit aacf01354f0f · 2024-06-12T14:20:07.000Z
Today, any attempts made to get the access token for a different resource than originally will fail with the Entra error AADSTS700024 after the IdToken expires, which is after 10 minutes. The same happens 60 minutes after the issuance date of the original access token, when it expires, and we cannot refresh. This change is a tactical solution to this problem that is to be used until az-cli supports this internally. This is an EXPERIMENTAL feature which means we provide no guarantees and no support for it. That said, it should work well for 99.9% of the cases. Please note that this feature can be removed at any point in time, particularly when az-cli delivers the long-term solution to this problem.
diff --git a/Tasks/AzureCLIV2/Strings/resources.resjson/en-US/resources.resjson b/Tasks/AzureCLIV2/Strings/resources.resjson/en-US/resources.resjson
@@ -31,6 +31,8 @@
   "loc.input.help.powerShellIgnoreLASTEXITCODE": "If this is false, the line `if ((Test-Path -LiteralPath variable:\\LASTEXITCODE)) { exit $LASTEXITCODE }` is appended to the end of your script. This will cause the last exit code from an external command to be propagated as the exit code of powershell. Otherwise the line is not appended to the end of your script.",
   "loc.input.label.visibleAzLogin": "az login output visibility",
   "loc.input.help.visibleAzLogin": "If this is set to true, az login command will output to the task. Setting it to false will suppress the az login output",
+  "loc.input.label.keepAzSessionActive": "[Experimental] Keep Azure CLI session active",
+  "loc.input.help.keepAzSessionActive": "When enabled, this task will continuously sign into Azure to avoid AADSTS700024 errors when requesting access tokens beyond the IdToken expiry date. Note that this feature is EXPERIMENTAL, may not work in all scenarios and you are using it without any guarantees. Valid only for service connections using the Workload Identity Federation authentication scheme.",
   "loc.messages.ScriptReturnCode": "Script exited with return code: %d",
   "loc.messages.ScriptFailed": "Script failed with error: %s",
   "loc.messages.ScriptFailedStdErr": "Script has output to stderr. Failing as failOnStdErr is set to true.",
@@ -49,5 +51,8 @@
   "loc.messages.GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used",
   "loc.messages.UnacceptedScriptLocationValue": "%s is not a valid value for task input 'Script Location' (scriptLocation in YAML). Value can either be'inlineScript' or 'scriptPath'",
   "loc.messages.ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at %s See https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections.",
-  "loc.messages.ProxyConfig": "az tool is configured to use %s as proxy server"
+  "loc.messages.ProxyConfig": "az tool is configured to use %s as proxy server",
+  "loc.messages.FailedToRefreshAzSession": "The following error occurred while trying to refresh az-cli session: %s",
+  "loc.messages.RefreshingAzSession": "Attempting to refresh az-cli session...",
+  "loc.messages.KeepingAzSessionActiveUnsupportedScheme": "The 'keepAzSessionActive' input might be used only for workload identity federation ARM service connection. The referenced service endpoint auth scheme was unexpected: %s. Change the scheme or remove 'keepAzSessionActive' input."
 }
diff --git a/Tasks/AzureCLIV2/azureclitask.ts b/Tasks/AzureCLIV2/azureclitask.ts
@@ -8,6 +8,7 @@ import { getHandlerFromToken, WebApi } from "azure-devops-node-api";
 import { ITaskApi } from "azure-devops-node-api/TaskApi";
 
 const FAIL_ON_STDERR: string = "FAIL_ON_STDERR";
+const AZ_SESSION_REFRESH_INTERVAL_MS: number = 480000; // 8 minutes, 2 minutes before IdToken expiry date
 
 export class azureclitask {
 
@@ -41,8 +42,23 @@ export class azureclitask {
             this.setConfigDirectory();
             this.setAzureCloudBasedOnServiceEndpoint();
             var connectedService: string = tl.getInput("connectedServiceNameARM", true);
+            const authorizationScheme = tl.getEndpointAuthorizationScheme(connectedService, true).toLowerCase();
+            
             await this.loginAzureRM(connectedService);
 
+            var keepAzSessionActive: boolean = tl.getBoolInput('keepAzSessionActive', false);
+            var stopRefreshingSession: () => void = () => {};
+            if (keepAzSessionActive) {
+                // This is a tactical workaround to keep the session active for the duration of the task to avoid AADSTS700024 errors.
+                // This is a temporary solution until the az cli provides a way to refresh the session.
+                if (authorizationScheme !== 'workloadidentityfederation') {
+                    const errorMessage = tl.loc('KeepingAzSessionActiveUnsupportedScheme', authorizationScheme);
+                    tl.error(errorMessage);
+                    throw errorMessage;
+                }
+                stopRefreshingSession = this.keepRefreshingAzSession(connectedService);
+            }
+
             let errLinesCount: number = 0;
             let aggregatedErrorLines: string[] = [];
             tool.on('errline', (errorLine: string) => {
@@ -52,8 +68,7 @@ export class azureclitask {
                 errLinesCount++;
             });
 
-            var addSpnToEnvironment: boolean = tl.getBoolInput('addSpnToEnvironment', false);
-            var authorizationScheme = tl.getEndpointAuthorizationScheme(connectedService, true).toLowerCase();
+            const addSpnToEnvironment: boolean = tl.getBoolInput('addSpnToEnvironment', false);
             if (!!addSpnToEnvironment && authorizationScheme == 'serviceprincipal') {
                 exitCode = await tool.exec({
                     failOnStdErr: false,
@@ -92,6 +107,10 @@ export class azureclitask {
             }
         }
         finally {
+            if (keepAzSessionActive) {
+              stopRefreshingSession();
+            }
+
             if (scriptType) {
                 await scriptType.cleanUp();
             }
@@ -276,6 +295,19 @@ export class azureclitask {
 
         return response.oidcToken;
     }
+
+    private static keepRefreshingAzSession(connectedService: string): () => void {
+        const intervalId = setInterval(async () => {
+         try {
+            tl.debug(tl.loc('RefreshingAzSession'));
+            await this.loginAzureRM(connectedService);
+         } catch (error) {
+            tl.warning(tl.loc('FailedToRefreshAzSession', error));
+         }
+        }, AZ_SESSION_REFRESH_INTERVAL_MS);
+
+        return () => clearInterval(intervalId);
+    }
 }
 
 tl.setResourcePath(path.join(__dirname, "task.json"));
diff --git a/Tasks/AzureCLIV2/task.json b/Tasks/AzureCLIV2/task.json
@@ -20,7 +20,7 @@
     "version": {
         "Major": 2,
         "Minor": 241,
-        "Patch": 0
+        "Patch": 2
     },
     "minimumAgentVersion": "2.0.0",
     "instanceNameFormat": "Azure CLI $(scriptPath)",
@@ -180,7 +180,16 @@
             "required": false,
             "helpMarkDown": "If this is set to true, az login command will output to the task. Setting it to false will suppress the az login output",
             "groupName": "advanced"
-        }        
+        },
+        {
+            "name": "keepAzSessionActive",
+            "type": "boolean",
+            "label": "[Experimental] Keep Azure CLI session active",
+            "defaultValue": "false",
+            "required": false,
+            "helpMarkDown": "When enabled, this task will continuously sign into Azure to avoid AADSTS700024 errors when requesting access tokens beyond the IdToken expiry date. Note that this feature is EXPERIMENTAL, may not work in all scenarios and you are using it without any guarantees. Valid only for service connections using the Workload Identity Federation authentication scheme.",
+            "groupName": "advanced"
+        }
     ],
     "execution": {
         "Node10": {
@@ -211,6 +220,9 @@
         "GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used",
         "UnacceptedScriptLocationValue": "%s is not a valid value for task input 'Script Location' (scriptLocation in YAML). Value can either be'inlineScript' or 'scriptPath'",
         "ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at %s See https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections.",
-        "ProxyConfig":"az tool is configured to use %s as proxy server"
+        "ProxyConfig":"az tool is configured to use %s as proxy server",
+        "FailedToRefreshAzSession": "The following error occurred while trying to refresh az-cli session: %s",
+        "RefreshingAzSession": "Attempting to refresh az-cli session...",
+        "KeepingAzSessionActiveUnsupportedScheme": "The 'keepAzSessionActive' input might be used only for workload identity federation ARM service connection. The referenced service endpoint auth scheme was unexpected: %s. Change the scheme or remove 'keepAzSessionActive' input."
     }
 }
diff --git a/Tasks/AzureCLIV2/task.loc.json b/Tasks/AzureCLIV2/task.loc.json
@@ -20,7 +20,7 @@
   "version": {
     "Major": 2,
     "Minor": 241,
-    "Patch": 0
+    "Patch": 2
   },
   "minimumAgentVersion": "2.0.0",
   "instanceNameFormat": "ms-resource:loc.instanceNameFormat",
@@ -180,6 +180,15 @@
       "required": false,
       "helpMarkDown": "ms-resource:loc.input.help.visibleAzLogin",
       "groupName": "advanced"
+    },
+    {
+      "name": "keepAzSessionActive",
+      "type": "boolean",
+      "label": "ms-resource:loc.input.label.keepAzSessionActive",
+      "defaultValue": "false",
+      "required": false,
+      "helpMarkDown": "ms-resource:loc.input.help.keepAzSessionActive",
+      "groupName": "advanced"
     }
   ],
   "execution": {
@@ -211,6 +220,9 @@
     "GlobalCliConfigAgentVersionWarning": "ms-resource:loc.messages.GlobalCliConfigAgentVersionWarning",
     "UnacceptedScriptLocationValue": "ms-resource:loc.messages.UnacceptedScriptLocationValue",
     "ExpiredServicePrincipalMessageWithLink": "ms-resource:loc.messages.ExpiredServicePrincipalMessageWithLink",
-    "ProxyConfig": "ms-resource:loc.messages.ProxyConfig"
+    "ProxyConfig": "ms-resource:loc.messages.ProxyConfig",
+    "FailedToRefreshAzSession": "ms-resource:loc.messages.FailedToRefreshAzSession",
+    "RefreshingAzSession": "ms-resource:loc.messages.RefreshingAzSession",
+    "KeepingAzSessionActiveUnsupportedScheme": "ms-resource:loc.messages.KeepingAzSessionActiveUnsupportedScheme"
   }
 }
diff --git a/_generated/AzureCLIV2.versionmap.txt b/_generated/AzureCLIV2.versionmap.txt
@@ -1,2 +1,2 @@
-Default|2.241.0
-Node20_229_2|2.241.1
+Default|2.241.2
+Node20_229_2|2.241.3
diff --git a/_generated/AzureCLIV2/Strings/resources.resjson/en-US/resources.resjson b/_generated/AzureCLIV2/Strings/resources.resjson/en-US/resources.resjson
@@ -31,6 +31,8 @@
   "loc.input.help.powerShellIgnoreLASTEXITCODE": "If this is false, the line `if ((Test-Path -LiteralPath variable:\\LASTEXITCODE)) { exit $LASTEXITCODE }` is appended to the end of your script. This will cause the last exit code from an external command to be propagated as the exit code of powershell. Otherwise the line is not appended to the end of your script.",
   "loc.input.label.visibleAzLogin": "az login output visibility",
   "loc.input.help.visibleAzLogin": "If this is set to true, az login command will output to the task. Setting it to false will suppress the az login output",
+  "loc.input.label.keepAzSessionActive": "[Experimental] Keep Azure CLI session active",
+  "loc.input.help.keepAzSessionActive": "When enabled, this task will continuously sign into Azure to avoid AADSTS700024 errors when requesting access tokens beyond the IdToken expiry date. Note that this feature is EXPERIMENTAL, may not work in all scenarios and you are using it without any guarantees. Valid only for service connections using the Workload Identity Federation authentication scheme.",
   "loc.messages.ScriptReturnCode": "Script exited with return code: %d",
   "loc.messages.ScriptFailed": "Script failed with error: %s",
   "loc.messages.ScriptFailedStdErr": "Script has output to stderr. Failing as failOnStdErr is set to true.",
@@ -49,5 +51,8 @@
   "loc.messages.GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used",
   "loc.messages.UnacceptedScriptLocationValue": "%s is not a valid value for task input 'Script Location' (scriptLocation in YAML). Value can either be'inlineScript' or 'scriptPath'",
   "loc.messages.ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at %s See https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections.",
-  "loc.messages.ProxyConfig": "az tool is configured to use %s as proxy server"
+  "loc.messages.ProxyConfig": "az tool is configured to use %s as proxy server",
+  "loc.messages.FailedToRefreshAzSession": "The following error occurred while trying to refresh az-cli session: %s",
+  "loc.messages.RefreshingAzSession": "Attempting to refresh az-cli session...",
+  "loc.messages.KeepingAzSessionActiveUnsupportedScheme": "The 'keepAzSessionActive' input might be used only for workload identity federation ARM service connection. The referenced service endpoint auth scheme was unexpected: %s. Change the scheme or remove 'keepAzSessionActive' input."
 }
diff --git a/_generated/AzureCLIV2/azureclitask.ts b/_generated/AzureCLIV2/azureclitask.ts
@@ -8,6 +8,7 @@ import { getHandlerFromToken, WebApi } from "azure-devops-node-api";
 import { ITaskApi } from "azure-devops-node-api/TaskApi";
 
 const FAIL_ON_STDERR: string = "FAIL_ON_STDERR";
+const AZ_SESSION_REFRESH_INTERVAL_MS: number = 480000; // 8 minutes, 2 minutes before IdToken expiry date
 
 export class azureclitask {
 
@@ -41,8 +42,23 @@ export class azureclitask {
             this.setConfigDirectory();
             this.setAzureCloudBasedOnServiceEndpoint();
             var connectedService: string = tl.getInput("connectedServiceNameARM", true);
+            const authorizationScheme = tl.getEndpointAuthorizationScheme(connectedService, true).toLowerCase();
+            
             await this.loginAzureRM(connectedService);
 
+            var keepAzSessionActive: boolean = tl.getBoolInput('keepAzSessionActive', false);
+            var stopRefreshingSession: () => void = () => {};
+            if (keepAzSessionActive) {
+                // This is a tactical workaround to keep the session active for the duration of the task to avoid AADSTS700024 errors.
+                // This is a temporary solution until the az cli provides a way to refresh the session.
+                if (authorizationScheme !== 'workloadidentityfederation') {
+                    const errorMessage = tl.loc('KeepingAzSessionActiveUnsupportedScheme', authorizationScheme);
+                    tl.error(errorMessage);
+                    throw errorMessage;
+                }
+                stopRefreshingSession = this.keepRefreshingAzSession(connectedService);
+            }
+
             let errLinesCount: number = 0;
             let aggregatedErrorLines: string[] = [];
             tool.on('errline', (errorLine: string) => {
@@ -52,8 +68,7 @@ export class azureclitask {
                 errLinesCount++;
             });
 
-            var addSpnToEnvironment: boolean = tl.getBoolInput('addSpnToEnvironment', false);
-            var authorizationScheme = tl.getEndpointAuthorizationScheme(connectedService, true).toLowerCase();
+            const addSpnToEnvironment: boolean = tl.getBoolInput('addSpnToEnvironment', false);
             if (!!addSpnToEnvironment && authorizationScheme == 'serviceprincipal') {
                 exitCode = await tool.exec({
                     failOnStdErr: false,
@@ -92,6 +107,10 @@ export class azureclitask {
             }
         }
         finally {
+            if (keepAzSessionActive) {
+              stopRefreshingSession();
+            }
+
             if (scriptType) {
                 await scriptType.cleanUp();
             }
@@ -276,6 +295,19 @@ export class azureclitask {
 
         return response.oidcToken;
     }
+
+    private static keepRefreshingAzSession(connectedService: string): () => void {
+        const intervalId = setInterval(async () => {
+         try {
+            tl.debug(tl.loc('RefreshingAzSession'));
+            await this.loginAzureRM(connectedService);
+         } catch (error) {
+            tl.warning(tl.loc('FailedToRefreshAzSession', error));
+         }
+        }, AZ_SESSION_REFRESH_INTERVAL_MS);
+
+        return () => clearInterval(intervalId);
+    }
 }
 
 tl.setResourcePath(path.join(__dirname, "task.json"));
diff --git a/_generated/AzureCLIV2/task.json b/_generated/AzureCLIV2/task.json
@@ -20,7 +20,7 @@
   "version": {
     "Major": 2,
     "Minor": 241,
-    "Patch": 0
+    "Patch": 2
   },
   "minimumAgentVersion": "2.0.0",
   "instanceNameFormat": "Azure CLI $(scriptPath)",
@@ -180,6 +180,15 @@
       "required": false,
       "helpMarkDown": "If this is set to true, az login command will output to the task. Setting it to false will suppress the az login output",
       "groupName": "advanced"
+    },
+    {
+      "name": "keepAzSessionActive",
+      "type": "boolean",
+      "label": "[Experimental] Keep Azure CLI session active",
+      "defaultValue": "false",
+      "required": false,
+      "helpMarkDown": "When enabled, this task will continuously sign into Azure to avoid AADSTS700024 errors when requesting access tokens beyond the IdToken expiry date. Note that this feature is EXPERIMENTAL, may not work in all scenarios and you are using it without any guarantees. Valid only for service connections using the Workload Identity Federation authentication scheme.",
+      "groupName": "advanced"
     }
   ],
   "execution": {
@@ -211,10 +220,13 @@
     "GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used",
     "UnacceptedScriptLocationValue": "%s is not a valid value for task input 'Script Location' (scriptLocation in YAML). Value can either be'inlineScript' or 'scriptPath'",
     "ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at\u00A0%s See\u00A0https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections.",
-    "ProxyConfig": "az tool is configured to use %s as proxy server"
+    "ProxyConfig": "az tool is configured to use %s as proxy server",
+    "FailedToRefreshAzSession": "The following error occurred while trying to refresh az-cli session: %s",
+    "RefreshingAzSession": "Attempting to refresh az-cli session...",
+    "KeepingAzSessionActiveUnsupportedScheme": "The 'keepAzSessionActive' input might be used only for workload identity federation ARM service connection. The referenced service endpoint auth scheme was unexpected: %s. Change the scheme or remove 'keepAzSessionActive' input."
   },
   "_buildConfigMapping": {
-    "Default": "2.241.0",
-    "Node20_229_2": "2.241.1"
+    "Default": "2.241.2",
+    "Node20_229_2": "2.241.3"
   }
 }
diff --git a/_generated/AzureCLIV2/task.loc.json b/_generated/AzureCLIV2/task.loc.json
@@ -20,7 +20,7 @@
   "version": {
     "Major": 2,
     "Minor": 241,
-    "Patch": 0
+    "Patch": 2
   },
   "minimumAgentVersion": "2.0.0",
   "instanceNameFormat": "ms-resource:loc.instanceNameFormat",
@@ -180,6 +180,15 @@
       "required": false,
       "helpMarkDown": "ms-resource:loc.input.help.visibleAzLogin",
       "groupName": "advanced"
+    },
+    {
+      "name": "keepAzSessionActive",
+      "type": "boolean",
+      "label": "ms-resource:loc.input.label.keepAzSessionActive",
+      "defaultValue": "false",
+      "required": false,
+      "helpMarkDown": "ms-resource:loc.input.help.keepAzSessionActive",
+      "groupName": "advanced"
     }
   ],
   "execution": {
@@ -211,10 +220,13 @@
     "GlobalCliConfigAgentVersionWarning": "ms-resource:loc.messages.GlobalCliConfigAgentVersionWarning",
     "UnacceptedScriptLocationValue": "ms-resource:loc.messages.UnacceptedScriptLocationValue",
     "ExpiredServicePrincipalMessageWithLink": "ms-resource:loc.messages.ExpiredServicePrincipalMessageWithLink",
-    "ProxyConfig": "ms-resource:loc.messages.ProxyConfig"
+    "ProxyConfig": "ms-resource:loc.messages.ProxyConfig",
+    "FailedToRefreshAzSession": "ms-resource:loc.messages.FailedToRefreshAzSession",
+    "RefreshingAzSession": "ms-resource:loc.messages.RefreshingAzSession",
+    "KeepingAzSessionActiveUnsupportedScheme": "ms-resource:loc.messages.KeepingAzSessionActiveUnsupportedScheme"
   },
   "_buildConfigMapping": {
-    "Default": "2.241.0",
-    "Node20_229_2": "2.241.1"
+    "Default": "2.241.2",
+    "Node20_229_2": "2.241.3"
   }
 }
diff --git a/_generated/AzureCLIV2_Node20/Strings/resources.resjson/en-US/resources.resjson b/_generated/AzureCLIV2_Node20/Strings/resources.resjson/en-US/resources.resjson
diff --git a/_generated/AzureCLIV2_Node20/azureclitask.ts b/_generated/AzureCLIV2_Node20/azureclitask.ts
diff --git a/_generated/AzureCLIV2_Node20/task.json b/_generated/AzureCLIV2_Node20/task.json
diff --git a/_generated/AzureCLIV2_Node20/task.loc.json b/_generated/AzureCLIV2_Node20/task.loc.json
