DEV Community

Kinga
Kinga

Posted on

Convert to workload identity federation

If you tried to convert your service connection to use Federated Credentials, and the automatic conversion failed, don't "try again". You need to do it manually.

Automatic authentication conversion failed.

The easiest approach that I found

Permissions

First of all, you need to make sure you have enough permissions. According to the documentation, you must ensure that you are the Owner of the Azure Subscription used for the service connection.

That's not enough. Make sure you have at least Global Reader, too.

The script

The easiest way to convert the connection manually is to run the

az ad app federated-credential create --id $appObjectId --parameters credential.json
Enter fullscreen mode Exit fullscreen mode

as described in Handling Manual Conversions.

The only tricky part is to update the credential.json correctly.

{
    "name": "__ENDPOINT_ID__",
    "issuer": "https://vstoken.dev.azure.com/__ORGANIZATION_ID__",
    "subject": "sc://__ORGANIZATION_NAME__/__PROJECT_NAME__/__SERVICE_CONNECTION_NAME__",
    "description": "Federation for Service Connection __SERVICE_CONNECTION_NAME__ in https://dev.azure.com/__ORGANIZATION_NAME__/__PROJECT_NAME__/_settings/adminservices?resourceId=__ENDPOINT_ID__",
    "audiences": [
        "api://AzureADTokenExchange"
    ]
}
Enter fullscreen mode Exit fullscreen mode

ENDPOINT_ID

The issuer and subject are displayed in the "Authentication conversion" section, that appears after automatic conversion fails. The __ENDPOINT_ID__, however... you have to find it =)

Navigate to the https://dev.azure.com/{__ORGANIZATION_NAME__}/__PROJECT_NAME__/_apis/serviceendpoint/endpoints?authSchemes=ServicePrincipal&type=azurerm&includeFailed=false&includeDetails=true&api-version=7.1 to see a list of all the service connections that can be converted.
Find the one you need, and copy the id - this is your __ENDPOINT_ID__.

{
    "count": 1,
    "value": [
        {
            "data": {
                "environment": "AzureCloud",
                "scopeLevel": "Subscription",
                //...
            },
            "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            //...
            "authorization": {
                "parameters": {
                    //...
                },
                "scheme": "ServicePrincipal"
            },
            "operationStatus": {
                "state": "Failed",
                "statusMessage": "converting_scheme_failed",
                "severity": null
            },
            "serviceEndpointProjectReferences": [
        //...
            ]
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Done?

Maybe I should have waited longer... After checking my service connection again, I still saw the blue dot, and the "conversion failed" error.

So I hit the "Try again" button again and.. lo and behold! It worked!

Reinvent your career. Join DEV.

It takes one minute and is worth it for your career.

Get started

Top comments (0)

Billboard image

Deploy and scale your apps on AWS and GCP with a world class developer experience

Coherence makes it easy to set up and maintain cloud infrastructure. Harness the extensibility, compliance and cost efficiency of the cloud.

Learn more

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay