Support Azure Pipelines Environment Variables for AzurePipelinesCredential (#713)

* Initial plan

* Add Azure Pipelines environment variable support

Co-authored-by: weinong <4204090+weinong@users.noreply.github.com>

* Update documentation for Azure Pipelines environment variables

Co-authored-by: weinong <4204090+weinong@users.noreply.github.com>

* Apply suggestion from @weinong

* Apply suggestion from @weinong

* Remove references to addSpnToEnvironment from documentation

The Azure Pipelines environment variables are injected automatically by
Azure Pipelines tasks when using Azure Resource Manager service
connections, regardless of the addSpnToEnvironment setting.

Updated both azurepipelines.md and get-token.md to reflect this.

Co-authored-by: weinong <4204090+weinong@users.noreply.github.com>

* Fix Azure Pipelines validation and update documentation

- Remove strict validation for tenant-id and service-connection-id in
  azurepipelines login method as these can come from environment variables
- Remove validation for SYSTEM_ACCESSTOKEN and SYSTEM_OIDCREQUESTURI in
  Validate() since they're only needed when getting tokens, not when
  converting kubeconfig
- Update all documentation references from "Azure Pipelines tasks" to
  "AzureCLI@2 task" to be more specific
- Add az aks get-credentials command to example so server-id is not needed
- Remove Terraform integration example as requested
- Update Usage section in get-token.md with correct environment variable
  information
- Update tests to reflect the more lenient validation

Co-authored-by: weinong <4204090+weinong@users.noreply.github.com>

* Remove irrelevant Azure Pipelines validation comments

Removed lines 171-173 which were just explanatory comments about
validation that was removed. Since there's no actual validation code
for Azure Pipelines login method anymore, these comments are no longer
relevant in the context.

Co-authored-by: weinong <4204090+weinong@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: weinong <4204090+weinong@users.noreply.github.com>
Co-authored-by: Weinong Wang <weinong@outlook.com>

Author: Copilot

docs/book/src/cli/get-token.md

@@ -13,11 +13,11 @@ Usage:
 
 Flags:
       --authority-host string                          Workload Identity authority host. It may be specified in AZURE_AUTHORITY_HOST environment variable
-      --azure-pipelines-service-connection-id string   Service connection (resource) ID used by azurepipelines login method
+      --azure-pipelines-service-connection-id string   Service connection (resource) ID used by azurepipelines login method. It may be specified in AZURESUBSCRIPTION_SERVICE_CONNECTION_ID environment variable
       --cache-dir string                               directory to cache authentication record (default "/home/weinongw/.kube/cache/kubelogin/")
       --client-certificate string            AAD client cert in pfx. Used in spn login. It may be specified in AAD_SERVICE_PRINCIPAL_CLIENT_CERTIFICATE or AZURE_CLIENT_CERTIFICATE_PATH environment variable
       --client-certificate-password string   Password for AAD client cert. Used in spn login. It may be specified in AAD_SERVICE_PRINCIPAL_CLIENT_CERTIFICATE_PASSWORD or AZURE_CLIENT_CERTIFICATE_PASSWORD environment variable
-      --client-id string                     AAD client application ID. It may be specified in AAD_SERVICE_PRINCIPAL_CLIENT_ID or AZURE_CLIENT_ID environment variable
+      --client-id string                     AAD client application ID. It may be specified in AAD_SERVICE_PRINCIPAL_CLIENT_ID or AZURE_CLIENT_ID environment variable. For Azure Pipelines login, it may be specified in AZURESUBSCRIPTION_CLIENT_ID environment variable
       --client-secret string                 AAD client application secret. Used in spn login. It may be specified in AAD_SERVICE_PRINCIPAL_CLIENT_SECRET or AZURE_CLIENT_SECRET environment variable
       --disable-environment-override         Enable or disable the use of env-variables. Default false
       --disable-instance-discovery           set to true to disable instance discovery in environments with their own simple Identity Provider (not AAD) that do not have instance metadata discovery endpoint. Default false
@@ -33,7 +33,7 @@ Flags:
       --pop-enabled                          set to true to use a PoP token for authentication or false to use a regular bearer token
       --redirect-url string                  The URL Microsoft Entra ID will redirect to with the access token. This is only used for interactive login. This is an optional parameter.
       --server-id string                     AAD server application ID
-  -t, --tenant-id string                     AAD tenant ID. It may be specified in AZURE_TENANT_ID environment variable
+  -t, --tenant-id string                     AAD tenant ID. It may be specified in AZURE_TENANT_ID environment variable. For Azure Pipelines login, it may be specified in AZURESUBSCRIPTION_TENANT_ID environment variable
       --timeout duration                     Timeout duration for Azure CLI token requests. It may be specified in AZURE_CLI_TIMEOUT environment variable (default 30s)
       --use-azurerm-env-vars                 Use environment variable names of Terraform Azure Provider (ARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_CLIENT_CERTIFICATE_PATH, ARM_CLIENT_CERTIFICATE_PASSWORD, ARM_TENANT_ID)
       --username string                      user name for ropc login flow. It may be specified in AAD_USER_PRINCIPAL_NAME or AZURE_USERNAME environment variable
@@ -232,6 +232,28 @@ users:
 
 ### Azure Pipelines
 
+When using `AzureCLI@2` task with Azure Resource Manager service connections, environment variables are automatically set. You only need to provide the `--server-id`:
+
+```yaml
+kind: Config
+preferences: {}
+users:
+  - name: demouser
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1beta1
+        args:
+          - get-token
+          - --server-id
+          - <AAD server app ID>
+          - --login
+          - azurepipelines
+        command: kubelogin
+        env: null
+```
+
+If environment variables are not available, provide all parameters explicitly:
+
 ```yaml
 kind: Config
 preferences: {}
@@ -255,3 +277,8 @@ users:
         command: kubelogin
         env: null
 ```
+
+> **Note**: When using `AzureCLI@2` task with Azure Resource Manager service connections, the following environment variables are automatically set and used:
+> - `AZURESUBSCRIPTION_TENANT_ID` for `--tenant-id`
+> - `AZURESUBSCRIPTION_CLIENT_ID` for `--client-id`
+> - `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` for `--azure-pipelines-service-connection-id`

docs/book/src/concepts/login-modes/azurepipelines.md

@@ -23,6 +23,13 @@ The authentication leverages Azure Pipelines' managed identity integration throu
 - `--server-id`: Application ID of the server/resource (typically the AKS cluster's server ID)
 - `--azure-pipelines-service-connection-id`: The resource ID of the Azure Resource Manager service connection
 
+> **Note**: When using `AzureCLI@2` task with Azure Resource Manager service connections, Azure Pipelines automatically sets the following environment variables which kubelogin will use if the corresponding flags are not provided:
+> - `AZURESUBSCRIPTION_TENANT_ID` - Automatically used for `--tenant-id`
+> - `AZURESUBSCRIPTION_CLIENT_ID` - Automatically used for `--client-id`
+> - `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` - Automatically used for `--azure-pipelines-service-connection-id`
+>
+> This means you only need to provide the `--server-id` parameter when these environment variables are available.
+
 ## Usage Examples
 
 ### Basic Usage in Pipeline
@@ -37,7 +44,32 @@ steps:
     scriptType: 'bash'
     scriptLocation: 'inlineScript'
     inlineScript: |
+      # Download kubeconfig from AKS
+      az aks get-credentials -g ${RESOURCE_GROUP} -n ${AKS_NAME}
+      
       # Configure kubeconfig to use azurepipelines login
+      # tenant-id, client-id, and service-connection-id are automatically detected from environment variables
+      kubelogin convert-kubeconfig --login azurepipelines
+      
+      # Now kubectl commands will authenticate using Azure Pipelines credentials
+      kubectl get nodes
+```
+
+### Basic Usage with Explicit Parameters
+
+If you prefer to explicitly provide all parameters:
+
+```yaml
+# azure-pipelines.yml
+steps:
+- task: AzureCLI@2
+  displayName: 'Deploy to AKS'
+  inputs:
+    azureSubscription: 'my-service-connection'
+    scriptType: 'bash'
+    scriptLocation: 'inlineScript'
+    inlineScript: |
+      # Configure kubeconfig to use azurepipelines login with explicit parameters
       kubelogin convert-kubeconfig \
         --login azurepipelines \
         --tenant-id $(tenant-id) \
@@ -47,13 +79,18 @@ steps:
       
       # Now kubectl commands will authenticate using Azure Pipelines credentials
       kubectl get nodes
-    addSpnToEnvironment: true  # This enables SYSTEM_ACCESSTOKEN
 ```
 
 ### Direct Token Retrieval
 
 ```bash
 # In Azure DevOps pipeline (with "Allow scripts to access the OAuth token" enabled)
+# Simplified version - uses environment variables automatically set by Azure Pipelines
+kubelogin get-token \
+  --login azurepipelines \
+  --server-id <cluster-server-id>
+
+# Or with explicit parameters
 kubelogin get-token \
   --login azurepipelines \
   --tenant-id <tenant-id> \
@@ -62,42 +99,27 @@ kubelogin get-token \
   --azure-pipelines-service-connection-id <service-connection-resource-id>
 ```
 
-### Terraform Integration
+## Environment Variable Support
 
-```yaml
-# azure-pipelines.yml for Terraform deployments
-steps:
-- task: TerraformTaskV3@3
-  displayName: 'Terraform Apply'
-  inputs:
-    provider: 'azurerm'
-    command: 'apply'
-    workingDirectory: '$(System.DefaultWorkingDirectory)/terraform'
-    environmentServiceNameAzureRM: 'my-service-connection'
-    commandOptions: |
-      -auto-approve
-  env:
-    # Configure kubeconfig for kubectl provider in Terraform
-    KUBECONFIG: $(Agent.TempDirectory)/kubeconfig
-- script: |
-    # Convert kubeconfig to use azurepipelines authentication
-    kubelogin convert-kubeconfig \
-      --login azurepipelines \
-      --tenant-id $(tenant-id) \
-      --client-id $(client-id) \
-      --server-id $(server-id) \
-      --azure-pipelines-service-connection-id $(service-connection-resource-id) \
-      --kubeconfig $(Agent.TempDirectory)/kubeconfig
-  displayName: 'Configure kubectl authentication'
-  condition: always()
-```
+When using `AzureCLI@2` task with Azure Resource Manager service connections, Azure Pipelines automatically sets environment variables for the service connection. Kubelogin automatically detects and uses these variables:
+
+| Environment Variable | Used For | Command-line Flag Equivalent |
+|---------------------|----------|------------------------------|
+| `AZURESUBSCRIPTION_TENANT_ID` | Tenant ID | `--tenant-id` |
+| `AZURESUBSCRIPTION_CLIENT_ID` | Client ID | `--client-id` |
+| `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` | Service Connection ID | `--azure-pipelines-service-connection-id` |
+
+**Precedence**: Command-line flags always take precedence over environment variables. This allows you to override specific values when needed.
+
+**Disabling Environment Variables**: You can use the `--disable-environment-override` flag to ignore all environment variables and require explicit parameters.
 
 ## How It Works
 
 1. **Service Connection**: Azure DevOps service connections provide managed identity or service principal authentication to Azure resources
 2. **System Access Token**: When "Allow scripts to access the OAuth token" is enabled, Azure Pipelines provides a `SYSTEM_ACCESSTOKEN` environment variable
-3. **OIDC Integration**: The `azurepipelines` login method uses Azure SDK's `AzurePipelinesCredential` to exchange the system access token for an Azure AD token
-4. **Token Caching**: Authentication tokens are cached to improve performance across multiple kubectl operations
+3. **Environment Variables**: When using `AzureCLI@2` task with Azure Resource Manager service connections, Azure Pipelines automatically sets subscription-specific environment variables
+4. **OIDC Integration**: The `azurepipelines` login method uses Azure SDK's `AzurePipelinesCredential` to exchange the system access token for an Azure AD token
+5. **Token Caching**: Authentication tokens are cached to improve performance across multiple kubectl operations
 
 ## Troubleshooting
 

pkg/internal/env/variables.go

@@ -31,4 +31,9 @@ const (
 	// env vars used by Azure Pipelines
 	SystemAccessToken    = "SYSTEM_ACCESSTOKEN"
 	SystemOIDCRequestURI = "SYSTEM_OIDCREQUESTURI"
+
+	// env vars used by Azure Pipelines service connections
+	AzureSubscriptionTenantID            = "AZURESUBSCRIPTION_TENANT_ID"
+	AzureSubscriptionServiceConnectionID = "AZURESUBSCRIPTION_SERVICE_CONNECTION_ID"
+	AzureSubscriptionClientID            = "AZURESUBSCRIPTION_CLIENT_ID"
 )

pkg/internal/token/options.go

@@ -93,7 +93,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVarP(&o.LoginMethod, "login", "l", o.LoginMethod,
 		fmt.Sprintf("Login method. Supported methods: %s. It may be specified in %s environment variable", GetSupportedLogins(), env.LoginMethod))
 	fs.StringVar(&o.ClientID, "client-id", o.ClientID,
-		fmt.Sprintf("AAD client application ID. It may be specified in %s or %s environment variable", env.KubeloginClientID, env.AzureClientID))
+		fmt.Sprintf("AAD client application ID. It may be specified in %s or %s environment variable. For Azure Pipelines login, it may be specified in %s environment variable", env.KubeloginClientID, env.AzureClientID, env.AzureSubscriptionClientID))
 	fs.StringVar(&o.ClientSecret, "client-secret", o.ClientSecret,
 		fmt.Sprintf("AAD client application secret. Used in spn login. It may be specified in %s or %s environment variable", env.KubeloginClientSecret, env.AzureClientSecret))
 	fs.StringVar(&o.ClientCert, "client-certificate", o.ClientCert,
@@ -111,11 +111,11 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&o.AuthorityHost, "authority-host", o.AuthorityHost,
 		fmt.Sprintf("Workload Identity authority host. It may be specified in %s environment variable", env.AzureAuthorityHost))
 	fs.StringVar(&o.AzurePipelinesServiceConnectionID, "azure-pipelines-service-connection-id", o.AzurePipelinesServiceConnectionID,
-		"Service connection (resource) ID used by azurepipelines login method")
+		fmt.Sprintf("Service connection (resource) ID used by azurepipelines login method. It may be specified in %s environment variable", env.AzureSubscriptionServiceConnectionID))
 	fs.StringVar(&o.AuthRecordCacheDir, "token-cache-dir", o.AuthRecordCacheDir, "directory to cache authentication record")
 	_ = fs.MarkDeprecated("token-cache-dir", "use --cache-dir instead")
 	fs.StringVar(&o.AuthRecordCacheDir, "cache-dir", o.AuthRecordCacheDir, "directory to cache authentication record")
-	fs.StringVarP(&o.TenantID, "tenant-id", "t", o.TenantID, fmt.Sprintf("AAD tenant ID. It may be specified in %s environment variable", env.AzureTenantID))
+	fs.StringVarP(&o.TenantID, "tenant-id", "t", o.TenantID, fmt.Sprintf("AAD tenant ID. It may be specified in %s environment variable. For Azure Pipelines login, it may be specified in %s environment variable", env.AzureTenantID, env.AzureSubscriptionTenantID))
 	fs.StringVarP(&o.Environment, "environment", "e", o.Environment, "Azure environment name")
 	fs.BoolVar(&o.IsLegacy, "legacy", o.IsLegacy, "set to true to get token with 'spn:' prefix in audience claim")
 	fs.BoolVar(&o.UseAzureRMTerraformEnv, "use-azurerm-env-vars", o.UseAzureRMTerraformEnv,
@@ -168,22 +168,6 @@ func (o *Options) Validate() error {
 		return fmt.Errorf("timeout must be greater than 0")
 	}
 
-	// Azure Pipelines login method validation
-	if o.LoginMethod == AzurePipelinesLogin {
-		if o.TenantID == "" {
-			return fmt.Errorf("tenant ID is required for azurepipelines login method")
-		}
-		if o.AzurePipelinesServiceConnectionID == "" {
-			return fmt.Errorf("--azure-pipelines-service-connection-id is required for --login azurepipelines")
-		}
-		if os.Getenv(env.SystemAccessToken) == "" {
-			return fmt.Errorf("environment variable %s not set; enable \"Allow scripts to access the OAuth token\" in the pipeline", env.SystemAccessToken)
-		}
-		if os.Getenv(env.SystemOIDCRequestURI) == "" {
-			return fmt.Errorf("environment variable %s not set; this should be automatically set by Azure Pipelines", env.SystemOIDCRequestURI)
-		}
-	}
-
 	return nil
 }
 
@@ -267,6 +251,25 @@ func (o *Options) UpdateFromEnv() {
 			o.AuthorityHost = v
 		}
 	}
+
+	if o.LoginMethod == AzurePipelinesLogin {
+		if o.ClientID == "" {
+			if v, ok := os.LookupEnv(env.AzureSubscriptionClientID); ok {
+				o.ClientID = v
+			}
+		}
+		if o.TenantID == "" {
+			if v, ok := os.LookupEnv(env.AzureSubscriptionTenantID); ok {
+				o.TenantID = v
+			}
+		}
+		if o.AzurePipelinesServiceConnectionID == "" {
+			if v, ok := os.LookupEnv(env.AzureSubscriptionServiceConnectionID); ok {
+				o.AzurePipelinesServiceConnectionID = v
+			}
+		}
+	}
+
 	if v, ok := os.LookupEnv("AZURE_CLI_TIMEOUT"); ok {
 		if timeout, err := time.ParseDuration(v); err == nil {
 			o.Timeout = timeout