WorkloadIdentityFederation auth support for powershell-based tasks (#…

…17819)

* Added workload identity federation auth scheme support for powershell

---------

Co-authored-by: Ondřej Netočný <onetocny@microsoft.com>
Co-authored-by: Ozan AYDIN <ozanaydin@microsoft.com>
Co-authored-by: Pavlo Andriiesh <pavlo.andriiesh@gmail.com>

Tasks/AzureCloudPowerShellDeploymentV1/task.json

@@ -16,7 +16,7 @@
     "author": "Microsoft Corporation",
     "version": {
         "Major": 1,
-        "Minor": 218,
+        "Minor": 221,
         "Patch": 0
     },
     "demands": [

Tasks/AzureCloudPowerShellDeploymentV1/task.loc.json

@@ -16,7 +16,7 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 1,
-    "Minor": 218,
+    "Minor": 221,
     "Patch": 0
   },
   "demands": [

Tasks/AzureFileCopyV1/AzureFileCopy.ps1

@@ -92,14 +92,17 @@ try {
         # Getting connection type (Certificate/UserNamePassword/SPN) used for the task
         $connectionType = Get-TypeOfConnection -connectedServiceName $connectedServiceName
 
+        $vstsEndpoint = Get-VstsEndpoint -Name SystemVssConnection -Require
+        $vstsAccessToken = $vstsEndpoint.auth.parameters.AccessToken
+
         # Getting storage key for the storage account based on the connection type
-        $storageKey = Get-StorageKey -storageAccountName $storageAccount -connectionType $connectionType -connectedServiceName $connectedServiceName
+        $storageKey = Get-StorageKey -storageAccountName $storageAccount -connectionType $connectionType -connectedServiceName $connectedServiceName -vstsAccessToken $vstsAccessToken
 
         # creating storage context to be used while creating container, sas token, deleting container
         $storageContext = Create-AzureStorageContext -StorageAccountName $storageAccount -StorageAccountKey $storageKey
-        
+
         # Geting Azure Storage Account type
-        $storageAccountType = Get-StorageAccountType -storageAccountName $storageAccount -connectionType $connectionType -connectedServiceName $connectedServiceName
+        $storageAccountType = Get-StorageAccountType $storageAccount $connectionType $connectedServiceName $vstsAccessToken
         Write-Verbose "Obtained Storage Account type: $storageAccountType"
         if(-not [string]::IsNullOrEmpty($storageAccountType) -and $storageAccountType.Contains('Premium'))
         {
@@ -169,11 +172,12 @@ try {
         # Normalize admin username
         if($vmsAdminUserName -and (-not $vmsAdminUserName.StartsWith(".\")) -and ($vmsAdminUserName.IndexOf("\") -eq -1) -and ($vmsAdminUserName.IndexOf("@") -eq -1))
         {
-            $vmsAdminUserName = ".\" + $vmsAdminUserName 
+            $vmsAdminUserName = ".\" + $vmsAdminUserName
         }
         # getting azure vms properties(name, fqdn, winrmhttps port)
         $azureVMResourcesProperties = Get-AzureVMResourcesProperties -resourceGroupName $environmentName -connectionType $connectionType `
-        -resourceFilteringMethod $resourceFilteringMethod -machineNames $machineNames -enableCopyPrerequisites $enableCopyPrerequisites -connectedServiceName $connectedServiceName
+            -resourceFilteringMethod $resourceFilteringMethod -machineNames $machineNames -enableCopyPrerequisites $enableCopyPrerequisites `
+            -connectedServiceName $connectedServiceName -vstsAccessToken $vstsAccessToken
 
         $skipCACheckOption = Get-SkipCACheckOption -skipCACheck $skipCACheck
         $azureVMsCredentials = Get-AzureVMsCredentials -vmsAdminUserName $vmsAdminUserName -vmsAdminPassword $vmsAdminPassword

Tasks/AzureFileCopyV1/AzureUtilityGTE1.0.ps1

@@ -100,7 +100,9 @@ function Get-AzureBlobStorageEndpointFromRDFE
 function Get-AzureBlobStorageEndpointFromARM
 {
     param([string]$storageAccountName,
-          [object]$endpoint)
+        [object]$endpoint,
+        [string]$connectedServiceNameARM,
+        [string]$vstsAccessToken)
 
     if(-not [string]::IsNullOrEmpty($storageAccountName))
     {
@@ -135,7 +137,9 @@ function Get-AzureStorageAccountTypeFromRDFE
 function Get-AzureStorageAccountTypeFromARM
 {
     param([string]$storageAccountName,
-          [object]$endpoint)
+        [object]$endpoint,
+        [string]$connectedServiceNameARM,
+        [string]$vstsAccessToken)
 
     if(-not [string]::IsNullOrEmpty($storageAccountName))
     {
@@ -288,26 +292,28 @@ function Get-AzureRMVMsInResourceGroup
 function Get-AzureRMResourceGroupResourcesDetailsForAzureStack
 {
     param([string]$resourceGroupName,
-          [object]$azureRMVMResources,
-          [object]$endpoint)
+        [object]$azureRMVMResources,
+        [object]$endpoint,
+        [string]$connectedServiceNameARM,
+        [string]$vstsAccessToken)
 
     [hashtable]$azureRGResourcesDetails = @{}
     [hashtable]$loadBalancerDetails = @{}
-    
+
     if(-not [string]::IsNullOrEmpty($resourceGroupName) -and $azureRMVMResources)
     {
         Write-Verbose "[Azure Call]Getting network interfaces in resource group $resourceGroupName"
-        $networkInterfaceResources = Get-AzureNetworkInterfaceDetails -ResourceGroupName $resourceGroupName -endpoint $endpoint
+        $networkInterfaceResources = Get-AzureNetworkInterfaceDetails $resourceGroupName $endpoint $connectedServiceNameARM $vstsAccessToken
         Write-Verbose "[Azure Call]Got network interfaces in resource group $resourceGroupName"
         $azureRGResourcesDetails.Add("networkInterfaceResources", $networkInterfaceResources)
 
         Write-Verbose "[Azure Call]Getting public IP Addresses in resource group $resourceGroupName"
-        $publicIPAddressResources = Get-AzurePublicIpAddressDetails -ResourceGroupName $resourceGroupName -endpoint $endpoint
+        $publicIPAddressResources = Get-AzurePublicIpAddressDetails $resourceGroupName $endpoint $connectedServiceNameARM $vstsAccessToken
         Write-Verbose "[Azure Call]Got public IP Addresses in resource group $resourceGroupName"
         $azureRGResourcesDetails.Add("publicIPAddressResources", $publicIPAddressResources)
 
         Write-Verbose "[Azure Call]Getting load balancers in resource group $resourceGroupName"
-        $lbGroup =  Get-AzureLoadBalancersDetails -ResourceGroupName $resourceGroupName -endpoint $endpoint
+        $lbGroup =  Get-AzureLoadBalancersDetails $resourceGroupName $endpoint $connectedServiceNameARM $vstsAccessToken
         Write-Verbose "[Azure Call]Got load balancers in resource group $resourceGroupName"
 
         if($lbGroup)
@@ -316,7 +322,7 @@ function Get-AzureRMResourceGroupResourcesDetailsForAzureStack
             {
                 $lbDetails = @{}
                 Write-Verbose "[Azure Call]Getting load balancer in resource group $resourceGroupName"
-                $loadBalancer = Get-AzureLoadBalancerDetails -Name $lb.Name -ResourceGroupName $resourceGroupName -endpoint $endpoint
+                $loadBalancer = Get-AzureLoadBalancerDetails $resourceGroupName $lb.Name $endpoint $connectedServiceNameARM $vstsAccessToken
                 Write-Verbose "[Azure Call]Got load balancer in resource group $resourceGroupName"
 
                 Write-Verbose "[Azure Call]Getting LoadBalancer Frontend Ip Config"
@@ -421,24 +427,26 @@ function Get-AzureMachineStatus
         $status = Get-AzureRmVM -ResourceGroupName $resourceGroupName -Name $name -Status -ErrorAction Stop -Verbose
         Write-Host (Get-VstsLocString -Key "AFC_GetVMStatusComplete" -ArgumentList $name)
     }
-	
+
     return $status
 }
 
 function Get-AzureMachineCustomScriptExtension
 {
     param([string]$resourceGroupName,
-          [string]$vmName,
-          [string]$name,
-          [object]$endpoint)
+        [string]$vmName,
+        [string]$name,
+        [object]$endpoint,
+        [string]$connectedServiceNameARM,
+        [string]$vstsAccessToken)
 
     if(-not [string]::IsNullOrEmpty($resourceGroupName) -and -not [string]::IsNullOrEmpty($vmName))
     {
         Write-Host (Get-VstsLocString -Key "AFC_GetCustomScriptExtension" -ArgumentList $name, $vmName)
-        $customScriptExtension = Get-AzureRmVMCustomScriptExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name $name -ErrorAction Stop -Verbose     
+        $customScriptExtension = Get-AzureRmVMCustomScriptExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name $name -ErrorAction Stop -Verbose
         Write-Host (Get-VstsLocString -Key "AFC_GetCustomScriptExtensionComplete" -ArgumentList $name, $vmName)
     }
-	
+
     return $customScriptExtension
 }
 
@@ -455,24 +463,26 @@ function Set-AzureMachineCustomScriptExtension
     if(-not [string]::IsNullOrEmpty($resourceGroupName) -and -not [string]::IsNullOrEmpty($vmName) -and -not [string]::IsNullOrEmpty($name))
     {
         Write-Host (Get-VstsLocString -Key "AFC_SetCustomScriptExtension" -ArgumentList $name, $vmName)
-        $result = Set-AzureRmVMCustomScriptExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name $name -FileUri $fileUri  -Run $run -Argument $argument -Location $location -ErrorAction Stop -Verbose		
+        $result = Set-AzureRmVMCustomScriptExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name $name -FileUri $fileUri  -Run $run -Argument $argument -Location $location -ErrorAction Stop -Verbose
         Write-Host (Get-VstsLocString -Key "AFC_SetCustomScriptExtensionComplete" -ArgumentList $name, $vmName)
     }
-	
+
     return $result
 }
 
 function Remove-AzureMachineCustomScriptExtension
 {
     param([string]$resourceGroupName,
-          [string]$vmName,
-          [string]$name,
-          [object]$endpoint)
+        [string]$vmName,
+        [string]$name,
+        [object]$endpoint,
+        [string]$connectedServiceNameARM,
+        [string]$vstsAccessToken)
 
     if(-not [string]::IsNullOrEmpty($resourceGroupName) -and -not [string]::IsNullOrEmpty($vmName) -and -not [string]::IsNullOrEmpty($name))
     {
         Write-Host (Get-VstsLocString -Key "AFC_RemoveCustomScriptExtension" -ArgumentList $name, $vmName)
-        $response = Remove-AzureRmVMCustomScriptExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name $name -Force -ErrorAction SilentlyContinue -Verbose		
+        $response = Remove-AzureRmVMCustomScriptExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name $name -Force -ErrorAction SilentlyContinue -Verbose
         Write-Host (Get-VstsLocString -Key "AFC_RemoveCustomScriptExtensionComplete" -ArgumentList $name, $vmName)
     }
 

Tasks/AzureFileCopyV1/AzureUtilityLTE9.8.ps1

@@ -106,7 +106,9 @@ function Get-AzureBlobStorageEndpointFromRDFE
 function Get-AzureBlobStorageEndpointFromARM
 {
     param([string]$storageAccountName,
-          [object]$endpoint)
+        [object]$endpoint,
+        [string]$connectedServiceNameARM,
+        [string]$vstsAccessToken)
 
     if(-not [string]::IsNullOrEmpty($storageAccountName))
     {
@@ -145,7 +147,9 @@ function Get-AzureStorageAccountTypeFromRDFE
 function Get-AzureStorageAccountTypeFromARM
 {
     param([string]$storageAccountName,
-          [object]$endpoint)
+        [object]$endpoint,
+        [string]$connectedServiceNameARM,
+        [string]$vstsAccessToken)
 
     if(-not [string]::IsNullOrEmpty($storageAccountName))
     {
@@ -391,25 +395,27 @@ function Get-AzureMachineStatus
         $status = Get-AzureVM -ResourceGroupName $resourceGroupName -Name $name -Status -ErrorAction Stop -Verbose
         Write-Host (Get-VstsLocString -Key "AFC_GetVMStatusComplete" -ArgumentList $name)
     }
-	
+
     return $status
 }
 
 function Get-AzureMachineCustomScriptExtension
 {
     param([string]$resourceGroupName,
-          [string]$vmName,
-          [string]$name,
-          [object]$endpoint)
+        [string]$vmName,
+        [string]$name,
+        [object]$endpoint,
+        [string]$connectedServiceNameARM,
+        [string]$vstsAccessToken)
 
     Switch-AzureMode AzureResourceManager
     if(-not [string]::IsNullOrEmpty($resourceGroupName) -and -not [string]::IsNullOrEmpty($vmName))
     {
         Write-Host (Get-VstsLocString -Key "AFC_GetCustomScriptExtension" -ArgumentList $name, $vmName)
-        $customScriptExtension = Get-AzureVMCustomScriptExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name $name -ErrorAction Stop -Verbose     
+        $customScriptExtension = Get-AzureVMCustomScriptExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name $name -ErrorAction Stop -Verbose
         Write-Host (Get-VstsLocString -Key "AFC_GetCustomScriptExtensionComplete" -ArgumentList $name, $vmName)
     }
-	
+
     return $customScriptExtension
 }
 
@@ -427,25 +433,27 @@ function Set-AzureMachineCustomScriptExtension
     if(-not [string]::IsNullOrEmpty($resourceGroupName) -and -not [string]::IsNullOrEmpty($vmName) -and -not [string]::IsNullOrEmpty($name))
     {
         Write-Host (Get-VstsLocString -Key "AFC_SetCustomScriptExtension" -ArgumentList $name, $vmName)
-        $result = Set-AzureVMCustomScriptExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name $name -FileUri $fileUri  -Run $run -Argument $argument -Location $location -ErrorAction Stop -Verbose		
+        $result = Set-AzureVMCustomScriptExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name $name -FileUri $fileUri  -Run $run -Argument $argument -Location $location -ErrorAction Stop -Verbose
         Write-Host (Get-VstsLocString -Key "AFC_SetCustomScriptExtensionComplete" -ArgumentList $name, $vmName)
     }
-	
+
     return $result
 }
 
 function Remove-AzureMachineCustomScriptExtension
 {
     param([string]$resourceGroupName,
-          [string]$vmName,
-          [string]$name,
-          [object]$endpoint)
+        [string]$vmName,
+        [string]$name,
+        [object]$endpoint,
+        [string]$connectedServiceNameARM,
+        [string]$vstsAccessToken)
 
     Switch-AzureMode AzureResourceManager
     if(-not [string]::IsNullOrEmpty($resourceGroupName) -and -not [string]::IsNullOrEmpty($vmName) -and -not [string]::IsNullOrEmpty($name))
     {
         Write-Host (Get-VstsLocString -Key "AFC_RemoveCustomScriptExtension" -ArgumentList $name, $vmName)
-        $response = Remove-AzureVMCustomScriptExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name $name -Force -ErrorAction SilentlyContinue -Verbose		
+        $response = Remove-AzureVMCustomScriptExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name $name -Force -ErrorAction SilentlyContinue -Verbose
         Write-Host (Get-VstsLocString -Key "AFC_SetCustomScriptExtensionComplete" -ArgumentList $name, $vmName)
     }
 

Tasks/AzureFileCopyV1/AzureUtilityRest.ps1

@@ -20,16 +20,18 @@ function Get-AzureStorageKeyFromRDFE
 function Get-AzureStorageKeyFromARM
 {
     param([string]$storageAccountName,
-          [object]$serviceEndpoint)
+        [object]$serviceEndpoint,
+        [string][Parameter(Mandatory=$false)]$connectedServiceNameARM,
+        [string][Parameter(Mandatory=$false)]$vstsAccessToken)
 
     if (-not [string]::IsNullOrEmpty($storageAccountName))
     {
         # get azure storage account resource group name
         $azureResourceGroupName = Get-AzureStorageAccountResourceGroupName -storageAccountName $storageAccountName
 
         Write-Verbose "[Azure Call]Retrieving storage key for the storage account: $storageAccount in resource group: $azureResourceid"
-        
-        $storageKeyDetails = Get-AzRMStorageKeys $azureResourceGroupName $storageAccountName $serviceEndpoint
+
+        $storageKeyDetails = Get-AzRMStorageKeys $azureResourceGroupName $storageAccountName $serviceEndpoint $connectedServiceNameARM $vstsAccessToken
         $storageKey = $storageKeyDetails.Key1
         Write-Verbose "[Azure Call]Retrieved storage key successfully for the storage account: $storageAccount in resource group: $azureResourceGroupName"
 
@@ -60,21 +62,23 @@ function Get-AzureBlobStorageEndpointFromRDFE
 function Get-AzureBlobStorageEndpointFromARM
 {
     param([string]$storageAccountName,
-          [object]$endpoint)
+        [object]$endpoint,
+        [string]$connectedServiceNameARM,
+        [string]$vstsAccessToken)
 
     if(-not [string]::IsNullOrEmpty($storageAccountName))
     {
         # get azure storage account resource group name
         $azureResourceGroupName = Get-AzureStorageAccountResourceGroupName -storageAccountName $storageAccountName
 
         Write-Verbose "[Azure Call]Retrieving storage account endpoint for the storage account: $storageAccount in resource group: $azureResourceGroupName"
-        
-        $storageAccountInfo = Get-AzRMStorageAccount $azureResourceGroupName $storageAccountName $endpoint -ErrorAction Stop
+
+        $storageAccountInfo = Get-AzRMStorageAccount $azureResourceGroupName $storageAccountName $endpoint $connectedServiceNameARM $vstsAccessToken -ErrorAction Stop
         $storageAccountEnpoint = $storageAccountInfo.PrimaryEndpoints[0].blob
         Write-Verbose "[Azure Call]Retrieved storage account endpoint successfully for the storage account: $storageAccount in resource group: $azureResourceGroupName"
 
         return $storageAccountEnpoint
-    }          
+    }
 }
 
 function Get-AzureStorageAccountTypeFromRDFE
@@ -96,50 +100,56 @@ function Get-AzureStorageAccountTypeFromRDFE
 function Get-AzureStorageAccountTypeFromARM
 {
     param([string]$storageAccountName,
-          [object]$endpoint)
+        [object]$endpoint,
+        [string]$connectedServiceNameARM,
+        [string]$vstsAccessToken)
 
     if(-not [string]::IsNullOrEmpty($storageAccountName))
     {
         # get azure storage account resource group name
         $azureResourceGroupName = Get-AzureStorageAccountResourceGroupName -storageAccountName $storageAccountName
 
         Write-Verbose "[Azure Call]Retrieving storage account type for the storage account: $storageAccount in resource group: $azureResourceGroupName"
-        $storageAccountInfo = Get-AzRMStorageAccount $azureResourceGroupName $storageAccountName $endpoint -ErrorAction Stop
+        $storageAccountInfo = Get-AzRMStorageAccount $azureResourceGroupName $storageAccountName $endpoint $connectedServiceNameARM $vstsAccessToken -ErrorAction Stop
         $storageAccountType = $storageAccountInfo.sku.tier
                     Write-Verbose "[Azure Call]Retrieved storage account type successfully for the storage account: $storageAccount in resource group: $azureResourceGroupName"
 
         return $storageAccountType
-    }          
+    }
 }
 
 function Get-AzureMachineCustomScriptExtension
 {
    param([string]$resourceGroupName,
-          [string]$vmName,
-          [string]$name,
-          [object]$endpoint)
+        [string]$vmName,
+        [string]$name,
+        [object]$endpoint,
+        [string]$connectedServiceNameARM,
+        [string]$vstsAccessToken)
 
     if(-not [string]::IsNullOrEmpty($resourceGroupName) -and -not [string]::IsNullOrEmpty($vmName))
     {
         Write-Host (Get-VstsLocString -Key "AFC_GetCustomScriptExtension" -ArgumentList $name, $vmName)
-        $customScriptExtension = Get-AzRmVmCustomScriptExtension $resourceGroupName $vmName $name $endpoint  
+        $customScriptExtension = Get-AzRmVmCustomScriptExtension $resourceGroupName $vmName $name $endpoint $connectedServiceNameARM $vstsAccessToken
         Write-Host (Get-VstsLocString -Key "AFC_GetCustomScriptExtensionComplete" -ArgumentList $name, $vmName)
     }
-                
+
     return $customScriptExtension
 }
 
 function Remove-AzureMachineCustomScriptExtension
 {
     param([string]$resourceGroupName,
-          [string]$vmName,
-          [string]$name,
-          [object]$endpoint)
+        [string]$vmName,
+        [string]$name,
+        [object]$endpoint,
+        [string]$connectedServiceNameARM,
+        [string]$vstsAccessToken)
 
     if(-not [string]::IsNullOrEmpty($resourceGroupName) -and -not [string]::IsNullOrEmpty($vmName) -and -not [string]::IsNullOrEmpty($name))
     {
         Write-Host (Get-VstsLocString -Key "AFC_RemoveCustomScriptExtension" -ArgumentList $name, $vmName)
-        $response = Remove-AzRmVMCustomScriptExtension $resourceGroupName $vmName $name $endpoint        
+        $response = Remove-AzRmVMCustomScriptExtension $resourceGroupName $vmName $name $endpoint $connectedServiceNameARM $vstsAccessToken
         Write-Host (Get-VstsLocString -Key "AFC_RemoveCustomScriptExtensionComplete" -ArgumentList $name, $vmName)
     }