[Identity] Support Workload Identity for service connections

[KarishmaGhiya]

Packages impacted by this PR

Issues associated with this PR

Fixes #27093
Gist

Describe the problem that is addressed by this PR

• WorkloadIdentityCredential is extended to support the WI federation for servie connections in Azure Devops.
• For complete details on the design please review Gist
• We are not supporting this in DAC at the moment because of introduction of complicated design issues in DAC. Also we don't see this niche scenario that should be added to DAC. We can always make additional changes in the future to DAC with minimal design changes once Devops service provides better environment variable support for this scenario. But if we introduce the support now, we'll have to expose the parameter through DAC Options bag and it can be disruptive to remove in the future.

Work TBD:

• Update TS guide
• Update error messages
• Test it out for all scenarios

Checklists

• Added impacted package name to the issue description
• Added a changelog (if necessary)

[azure-sdk]

API change check

APIView has identified API level changes in this PR and created following API reviews.

@azure/identity

[maorleger]

Have a few questions / comments / nits - coming together though!

[maorleger]

What is the difference between WorkloadIdentityCredentialKubernetesOptions and WorkloadIdentityCredentialServiceConnectionOptions ? They look identical

[KarishmaGhiya]

One has federatedTokenFilePath required and the other has serviceConnectionId required

[maorleger]

Oh I see! I missed the never on each side.

This makes more sense now, but I wonder if undefined is a better type than never here - because the union of <type> and never is just <type> this ends up being undefined anyway.

What I mean is, try this in a typescript playground:

type Foo = string | never

If you hover over Foo in the editor you'll notice that the type is just string - TypeScript is smart enough to know that never can not be in the set of values here. When a user tries to set both, the error message will say:

Type 'string' is not assignable to type 'undefined'.ts(2322)

Which can be confusing.

So what I am suggesting is to change never to explicit undefined as a starting point. It'll make for less confusing error messages. Does that make sense? Happy to discuss more or brainstorm an API shape that provides better devex!

[KarishmaGhiya]

Tagging @bterlson to discuss which type should we use here for forbidden fields.

[maorleger]

Thanks Karishma - happy to learn one way or the other 👍

[maorleger]

I think federatedTokenFilePath is what we name the variable internally but the param is called tokenFilePath - if that's the case we should change the error message to specify the correct param name (otherwise it may be confusing to the user).

Also, is it an error to have AZURE_FEDERATED_TOKEN_FILE env var set and pass in serviceConnectionId via the params? Just curious

[KarishmaGhiya]

Yes that is going to be an error scenario.

[maorleger]

Makes sense, thanks!

[maorleger]

We should, ideally, use the core-rest-pipeline primitives unless there's a reason to use fetch directly

[maorleger]

I see that we're building this systemError and then setting it as an instance variable - where do we actually use it / throw it?

I also wonder if it would be cleaner to collect missing env var names in an array and then creating the error if the array is not empty (pseudocode below)

const missingEnvVars = []
if (!process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI) missingEnvVars.push("SYSTEM_TEAMFOUNDATIONCOLLECTIONURI")
...
...
if (missingEnvVars.length > 0) this.systemError = "Missing system variable(s) - ${missingEnvVars.join(', ')}"

Last question here is: is this a developer error or an SDK error for these to be missing? They're set by Azure DevOps right?

[KarishmaGhiya]

They are set by Azure Devops. So definitely not an error by developer. but by Azure Devops

[KarishmaGhiya]

Yes, that's a better strategy using the array

[KarishmaGhiya]

done

[maorleger]

Apologies for the PR noise 😄 but the new code should have test coverage - could you add tests?

[maorleger]

From a JS perspective this looks much better, thank you for indulging me! I'd like someone from the Identity crew to validate the logic as well 😇

[maorleger]

nit: you could move outside the if and remove the if entirely since you are validating tenantId exists 👍

[maorleger]

nit: I would move this to line 65 to keep it next to the code that sets clientId and tenantId

[maorleger]

clientId and tenantId should always be set by now, you can remove check for them

[maorleger]

clientId and tenantId should always be set by now, you can remove check for them

[maorleger]

Q: should we always hit 7.1-preview.1 API version? If not how do we move forward?

[Penguinwizzard]

Should we check that this is guid-like?

[Penguinwizzard]

This isn't a great error message - yes. the variables are missing, but we have a good idea as to why they might be, and what the user should do instead. For the first set, you can generate something like The environment variables SYSTEM_JOBID and SYSTEM_PLANID aren't defined - please ensure that you're running this task in an Azure Pipeline.

We can do more for undefined/non-null check for SYSTEM_ACCESSTOKEN with a message like:

Please ensure that the system access token is available in the SYSTEM_ACCESSTOKEN value; this is often most easily achieved by adding a block to the end of your pipeline yaml for the task with:
env:
- SYSTEM_ACCESSTOKEN: $(System.AccessToken)

[Penguinwizzard]

If we're doing this, why not do it by inheritance?

export interface WorkloadIdentityCredentialOptions
  extends MultiTenantTokenCredentialOptions,
    AuthorityValidationOptions {
    tenantId?: string,
    clientId?: string
}

export interface WorkloadIdentityCredentialKubernetesOptions
  extends WorkloadIdentityCredentialOptions {
    tokenFilePath?: string;
}

export interface WorkloadIdentityCredentialServiceConnectionOptions
  extends WorkloadIdentityCredentialOptions {
    serviceConnectionId?: string;
}

[KarishmaGhiya]

Closing in favor of #29392