azure-pipelines-tasks: [BUG]: AzureFileCopy task fails when using Workload Identity Federation
Task name
AzureFileCopy
Task version
5
Environment type (Please select at least one enviroment where you face this issue)
- Self-Hosted
- Microsoft Hosted
- VMSS Pool
- Container
Azure DevOps Server type
dev.azure.com (formerly visualstudio.com)
Azure DevOps Server Version (if applicable)
No response
Operation system
windows-2022
Task log
Too long to be pasted: https://gist.github.com/Sharparam/c3bd654b31a9e6fa87473d89f71d2bdf
Relevant log output
##[error]Upload to container: 'redacted' in storage account: 'redacted' with blob prefix: '' failed with error: 'Unsupported authentication scheme 'WorkloadIdentityFederation' for endpoint.' For more info please refer to https://aka.ms/azurefilecopyreadme
Aditional info
v5 is the latest version of the task.
About this issue
- Original URL
- State: closed
- Created 8 months ago
- Reactions: 16
- Comments: 22 (5 by maintainers)
The AzureFileCopyV6 task resolves this issue. It also uses Azure RBAC to access blob storage instead. This requires the identity of the service connection used to have the appropriate RBAC role e.g. Storage Blob Data Contributor. See Assign an Azure role for access to blob data.
I was able to solve it by using an AzureCLI task, maybe this will help some people:
This sets the two variables storageToken and storageUri to call the specific ARM template files I need
I was able to work around this by ditching AzureFileCopy in favor of the Azure CLI task (which properly supports workload identities) with the “az storage blob upload-batch” command:
v6 was released yesterday and resolves this issue for us 😃
Yep, us too. Set up a new “Recommended” connection and our build script didn’t run and copy. Back to the old connection until there is a path forward.
Workload Identity Federation is the recommended method to create a service connection. This task should be able to support it.
We just switched back to the old authentication method for the time being.