DEV Community

Kinga
Kinga

Posted on

Convert to workload identity federation

#azure #devops #security

If you tried to convert your service connection to use Federated Credentials, and the automatic conversion failed, don't "try again". You need to do it manually.

Automatic authentication conversion failed.

The easiest approach that I found

Permissions

First of all, you need to make sure you have enough permissions. According to the documentation, you must ensure that you are the Owner of the Azure Subscription used for the service connection.

That's not enough. Make sure you have at least Global Reader, too.

The script

The easiest way to convert the connection manually is to run the

az ad app federated-credential create --id $appObjectId --parameters credential.json
Enter fullscreen mode Exit fullscreen mode

as described in Handling Manual Conversions.

The only tricky part is to update the credential.json correctly.

{
    "name": "__ENDPOINT_ID__",
    "issuer": "https://vstoken.dev.azure.com/__ORGANIZATION_ID__",
    "subject": "sc://__ORGANIZATION_NAME__/__PROJECT_NAME__/__SERVICE_CONNECTION_NAME__",
    "description": "Federation for Service Connection __SERVICE_CONNECTION_NAME__ in https://dev.azure.com/__ORGANIZATION_NAME__/__PROJECT_NAME__/_settings/adminservices?resourceId=__ENDPOINT_ID__",
    "audiences": [
        "api://AzureADTokenExchange"
    ]
}
Enter fullscreen mode Exit fullscreen mode

ENDPOINT_ID

The issuer and subject are displayed in the "Authentication conversion" section, that appears after automatic conversion fails. The __ENDPOINT_ID__, however... you have to find it =)

Navigate to the https://dev.azure.com/{__ORGANIZATION_NAME__}/__PROJECT_NAME__/_apis/serviceendpoint/endpoints?authSchemes=ServicePrincipal&type=azurerm&includeFailed=false&includeDetails=true&api-version=7.1 to see a list of all the service connections that can be converted.
Find the one you need, and copy the id - this is your __ENDPOINT_ID__.

{
    "count": 1,
    "value": [
        {
            "data": {
                "environment": "AzureCloud",
                "scopeLevel": "Subscription",
                //...
            },
            "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            //...
            "authorization": {
                "parameters": {
                    //...
                },
                "scheme": "ServicePrincipal"
            },
            "operationStatus": {
                "state": "Failed",
                "statusMessage": "converting_scheme_failed",
                "severity": null
            },
            "serviceEndpointProjectReferences": [
        //...
            ]
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Done?

Maybe I should have waited longer... After checking my service connection again, I still saw the blue dot, and the "conversion failed" error.

So I hit the "Try again" button again and.. lo and behold! It worked!

Top comments (0)

Read next

karthickdkk profile image

Dangerous Linux Configurations You Must Avoid for Secure Systems (Deep Dive)

karthick-dkk -

amandeol063 profile image

Week 2 in DevOps: From Linux Basics to Shell Scripting

Aman Deol -

sudhi_ranjangupta_adc8df profile image

Session Management, Tokens & Refresh Tokens

Sudhi Ranjan Gupta -

cicubeteam profile image

How to Use ENV variables in GitHub Actions

CiCube -