Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use the correct OIDC request url for the powershell task #584

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

jedimanu-ux
Copy link

@jedimanu-ux jedimanu-ux commented Dec 17, 2024

Description

The AZDO agents provide a variable which contains the actual URL needed to retrieve the OIDC token - System.OidcRequestUri
as specified in the documentation: https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml

Motivation

I could not use the Powershell Module with OIDC authentication in a Release because the OIDC request URL was wrong

Testing

I manually changed the RunAWSPowerShellModuleScript.ps1 on one of my agents with the changes in this PR and it worked flawlessly.

Unfortunately the variant without explicit string concatenation

$url = "$Env:SYSTEM_OIDCREQUESTURI?api-version=7.1-preview.1&serviceConnectionId=$awsEndpoint"

didn't work since it seems powershell thinks "?" is part of the variable name, and the substitution failed.(https://stackoverflow.com/questions/66071918/why-does-powershell-not-process-a-string-correctly-which-has-a-dollar-sign-and-a)

Checklist

  • I have read the README document
  • I have read the CONTRIBUTING document
  • My code follows the code style of this project
  • I have added tests to cover my changes (no tests needed)
  • A short description of the change has been added to the changelog using the script npm run newChange

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@jedimanu-ux jedimanu-ux requested a review from a team as a code owner December 17, 2024 18:56
@jedimanu-ux
Copy link
Author

@hayemaxi - would appreciate a review on this PR. Thanks in advance

@doronl07
Copy link

@hayemaxi can you please give us an update?

@hayemaxi
Copy link
Contributor

Could you help me understand what this is solving? Currently I am not experiencing any issues using the powershell task with OIDC in either YAML or classic pipelines. Is this related to first-time OIDC setup? Please provide more details on the error.

@jedimanu-ux
Copy link
Author

jedimanu-ux commented Dec 20, 2024

hey @hayemaxi, thanks for your input. The issues I'm having is on Release pipelines(not build)
See below the error(I replaced the ids with empty ones):
2024-12-17T16:46:36.2739082Z ##[debug]POST https://dev.azure.com/123example/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/build/plans/00000000-0000-0000-0000-000000000000/jobs/00000000-0000-0000-0000-000000000000/oidctoken?api-version=7.1-preview.1&serviceConnectionId=00000000-0000-0000-0000-000000000000 with -1-byte payload 2024-12-17T16:46:36.6130270Z ##[debug]Leaving D:\work\Agent1\_tasks\AWSPowerShellModuleScript_37dda93c-8427-4372-9b7b-9b6e10f3f744\1.18.0\RunAWSPowerShellModuleScript.ps1. 2024-12-17T16:46:36.6201453Z ##[debug]Caught exception from task script. 2024-12-17T16:46:36.6244420Z ##[debug]Error record: 2024-12-17T16:46:36.8254299Z ##[debug]Invoke-WebRequest : {"$id":"1","innerException":null,"message":"No plan found for identifier 00000000-0000-0000-0000-000000000000.","typeName":"Microsoft.TeamFoundation.DistributedTask.WebApi.TaskOrchestrationPlanNotFoundException, Microsoft.TeamFoundation.DistributedTask.WebApi","typeKey":"TaskOrchestrationPlanNotFoundException","errorCode":0,"eventId":3000}

Also here's the SYSTEM_OIDCREQUESTURI:
[SYSTEM_OIDCREQUESTURI] --> [https://vsrm.dev.azure.com/123example/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/release/plans/00000000-0000-0000-0000-000000000000/jobs/00000000-0000-0000-0000-000000000000/oidctoken]

2 differences between the urls:

  1. hostname: dev.azure.com vs vsrm.dev.azure.com
  2. URL path: /hubs/build vs hubs/release

@hayemaxi
Copy link
Contributor

I understand now. I wasn't able to reproduce the exact error for the Release pipeline, but I did get an invalid URL error. It went away with your change- and build pipelines also seem to be working as well.

Thanks for this contribution! Due to the holidays we won't release this toolkit until the new year, and I still want to verify a few things.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants