Update pipeline to be using Service Principal instead of Service Acco…

…unt PAT (#7271) Update the following build pipelines to be using Service Principal for authentication to resources endpoints instead of using the Service Account PAT: - Nested pipelines - ISA95 - Build release ## Azure IoT Edge PR checklist:
Azure · Apr 23, 2024 · 68b617d · 68b617d
1 parent c13dabb
commit 68b617d
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 14 deletions.
diff --git a/builds/e2e/isa-95-smoke-test.yaml b/builds/e2e/isa-95-smoke-test.yaml
@@ -46,7 +46,7 @@ stages:
       - template: templates/nested-get-secrets.yaml
       - script: scripts/linux/nestedAgentLock.sh -a "$(agent.group)" -b "$(Build.BuildId)" -n 1 -u "amqp"
         env:
-          PAT: "$(IotEdge1-PAT-msazure)"
+          PAT: "$(IotEdgePAT)"
         displayName: Lock agents for nested topology
         name: lock_test_agent
 

diff --git a/builds/e2e/templates/lock-test-agents.yaml b/builds/e2e/templates/lock-test-agents.yaml
@@ -14,6 +14,6 @@ jobs:
       - template: nested-get-secrets.yaml
       - script: scripts/linux/nestedAgentLock.sh -a "$(agent.group)" -b "$(Build.BuildId)" -n ${{ parameters['testRunnerCount'] }} -u ${{ parameters['upstream.protocol'] }}
         env:
-          PAT: "$(IotEdge1-PAT-msazure)"
+          PAT: "$(IotEdgePAT)"
         displayName: Lock agents for nested topology
         name: lock_test_agent
diff --git a/builds/e2e/templates/nested-get-secrets.yaml b/builds/e2e/templates/nested-get-secrets.yaml
@@ -15,7 +15,6 @@ steps:
         GitHubAccessToken,
         edgebuild-blob-core-connection-string,
         edgebuild-service-principal-secret,
-        IotEdge1-PAT-msazure
 
   - task: AzureKeyVault@1
     displayName: 'Azure Key Vault: $(azure.keyVault)'
@@ -24,4 +23,21 @@ steps:
       KeyVaultName: $(azure.keyVault)
       SecretsFilter: >- 
         IotHub-ConnStr,
-        IotHub-EventHubConnStr
+        IotHub-EventHubConnStr
+
+  - task: AzureCLI@2
+    displayName: 'Get PAT'
+    inputs:
+      azureSubscription: 'IoTEdge1-msazure'
+      scriptType: 'bash'
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+        # Note that the resoruce is specified to limit the token to Azure DevOps
+        aadTokenInfo=$(az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798")
+        if [ $? -ne 0 ]; then
+            echo "Could not acquire Azure DevOps token."
+            exit 40
+        fi
+        echo "Azure DevOps AAD token acquired.  Expires $(echo $aadTokenInfo | jq -r .expiresOn)"
+        aadToken=$(echo $aadTokenInfo | jq -r .accessToken)
+        echo "##vso[task.setvariable variable=IotEdgePAT;issecret=true]$aadToken"
diff --git a/builds/e2e/templates/unlock-test-agents.yaml b/builds/e2e/templates/unlock-test-agents.yaml
@@ -5,7 +5,7 @@ steps:
     env:
       POOL_ID: 123
       API_VER: 6.0
-      PAT: "$(IotEdge1-PAT-msazure)"
+      PAT: "$(IotEdgePAT)"
       BUILD_ID: $(Build.BuildId)
     inputs:
       targetType: inline

diff --git a/builds/misc/packages-release.yaml b/builds/misc/packages-release.yaml
@@ -575,14 +575,6 @@ stages:
     steps:
     - checkout: azure-iotedge
     - checkout: self
-    - task: AzureKeyVault@1
-      displayName: Get secrets
-      inputs:
-        azureSubscription: $(az.subscription)
-        keyVaultName: $(kv.name)
-        secretsFilter: >-
-          IotEdge1-PAT-msazure
-
     - bash: |
         # Source the scripts & Update version files
         source $(Build.SourcesDirectory)/iotedge/scripts/linux/smokeTestHelper.sh
@@ -662,11 +654,29 @@ stages:
           "$(IsCheckPreviousPkg)"
       displayName: Released Artifacts Smoke Tests
 
+    - task: AzureCLI@2
+      condition: always()
+      displayName: 'Get PAT'
+      inputs:
+        azureSubscription: 'IoTEdge1-msazure'
+        scriptType: 'bash'
+        scriptLocation: 'inlineScript'
+        inlineScript: |
+          # Note that the resoruce is specified to limit the token to Azure DevOps
+          aadTokenInfo=$(az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798")
+          if [ $? -ne 0 ]; then
+              echo "Could not acquire Azure DevOps token."
+              exit 40
+          fi
+          echo "Azure DevOps AAD token acquired.  Expires $(echo $aadTokenInfo | jq -r .expiresOn)"
+          aadToken=$(echo $aadTokenInfo | jq -r .accessToken)
+          echo "##vso[task.setvariable variable=IotEdgePAT;issecret=true]$aadToken"
+
     - bash: |
         # Source the scripts & Update version files
         source $(Build.SourcesDirectory)/iotedge/scripts/linux/smokeTestHelper.sh
 
         test-released-images "$(Build.SourceBranchName)"
       displayName: Released Images Smoke Tests
       env:
-        DEVOPS_PAT: "$(IotEdge1-PAT-msazure)"
+        DEVOPS_PAT: "$(IotEdgePAT)"