Use common OIDC token env vars for identity live tests (Azure#47869)

Author: benbp

eng/pipelines/templates/jobs/live.tests.yml

@@ -57,6 +57,9 @@ parameters:
   - name: UseFederatedAuth
     type: boolean
     default: true
+  - name: PersistOidcToken
+    type: boolean
+    default: false
 
 jobs:
   - job:
@@ -142,6 +145,7 @@ jobs:
               SubscriptionConfiguration: $(SubscriptionConfiguration)
               ArmTemplateParameters: $(ArmTemplateParameters)
               UseFederatedAuth: ${{ parameters.UseFederatedAuth }}
+              PersistOidcToken: ${{ parameters.PersistOidcToken }}
               ServiceConnection: ${{ parameters.CloudConfig.ServiceConnection }}
               SubscriptionConfigurationFilePaths: ${{ parameters.CloudConfig.SubscriptionConfigurationFilePaths }}
               EnvVars:
@@ -197,6 +201,8 @@ jobs:
           env:
             AZURE_TEST_MODE: $(TestMode)
             SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+            ${{ if parameters.PersistOidcToken }}:
+              ARM_OIDC_TOKEN: $(ARM_OIDC_TOKEN)
             ${{ each var in parameters.EnvVars }}:
               ${{ var.key }}: ${{ var.value }}
 

eng/pipelines/templates/stages/archetype-sdk-tests.yml

@@ -103,6 +103,9 @@ parameters:
   - name: UseFederatedAuth
     type: boolean
     default: true
+  - name: PersistOidcToken
+    type: boolean
+    default: false
 
 extends:
   template: /eng/pipelines/templates/stages/1es-redirect.yml
@@ -143,6 +146,7 @@ extends:
                       TestSetupSteps: ${{ parameters.TestSetupSteps }}
                       DeployTestResources: ${{ parameters.DeployTestResources }}
                       UseFederatedAuth: ${{ parameters.UseFederatedAuth }}
+                      PersistOidcToken: ${{ parameters.PersistOidcToken }}
                     MatrixConfigs:
                       # Enumerate platforms and additional platforms based on supported clouds (sparse platform<-->cloud matrix).
                       - ${{ each config in parameters.MatrixConfigs }}:

sdk/identity/Azure.Identity/tests/ManagedIdentityAKSIntegrationTests.cs

@@ -21,8 +21,8 @@ public ManagedIdentityAKSIntegrationTests(bool isAsync) : base(isAsync)
 
         public void SetupKubernetesEnvironment()
         {
-            string sp = Environment.GetEnvironmentVariable("ARM_CLIENT_ID");
-            string tenant = Environment.GetEnvironmentVariable("ARM_TENANT_ID");
+            string sp = Environment.GetEnvironmentVariable("IDENTITY_CLIENT_ID");
+            string tenant = Environment.GetEnvironmentVariable("IDENTITY_TENANT_ID");
             string oidc = Environment.GetEnvironmentVariable("ARM_OIDC_TOKEN");
             string rg = Environment.GetEnvironmentVariable("IDENTITY_RESOURCE_GROUP");
             string aks = Environment.GetEnvironmentVariable("IDENTITY_AKS_CLUSTER_NAME");

sdk/identity/test-resources-pre.ps1

@@ -8,10 +8,11 @@ param (
     [ValidatePattern('^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$')]
     [string] $TestApplicationId,
 
-    [Parameter()]
-    [string] $TestApplicationSecret,
+    [Parameter(Mandatory = $true)]
+    [ValidateNotNullOrEmpty()]
+    [string] $Environment,
 
-    [Parameter(ParameterSetName = 'Provisioner', Mandatory = $true)]
+    [Parameter(Mandatory = $true)]
     [ValidateNotNullOrEmpty()]
     [string] $TenantId
 )
@@ -23,9 +24,11 @@ $sshKey = Get-Content $PSScriptRoot/sshKey.pub
 
 $templateFileParameters['sshPubKey'] = $sshKey
 
-# Get the max version that is not preview and then get the name of the patch version with the max value
+az cloud set --name $Environment
 az login --service-principal -u $TestApplicationId --tenant $TenantId --allow-no-subscriptions --federated-token $env:ARM_OIDC_TOKEN
-$versions = az aks get-versions -l westus -o json | ConvertFrom-Json
+# Get the max version that is not preview and then get the name of the patch version with the max value
+$region = if ($Environment -eq 'AzureUSGovernment') { 'usgovvirginia' } elseif ($Environment -eq 'AzureChinaCloud') { 'chinanorth3' } else { 'westus' }
+$versions = az aks get-versions -l $region -o json | ConvertFrom-Json
 Write-Host "AKS versions: $($versions | ConvertTo-Json -Depth 100)"
 $patchVersions = $versions.values | Where-Object { $_.isPreview -eq $null } | Select-Object -ExpandProperty patchVersions
 Write-Host "AKS patch versions: $($patchVersions | ConvertTo-Json -Depth 100)"
@@ -61,4 +64,4 @@ Write-Host "##vso[task.setvariable variable=IDENTITY_SP_CERT_SNI;]$sniPath"
 # Set for local
 $env:IDENTITY_SP_CERT_PFX = $pfxPath
 $env:IDENTITY_SP_CERT_PEM = $pemPath
-$env:IDENTITY_SP_CERT_SNI = $sniPath
+$env:IDENTITY_SP_CERT_SNI = $sniPath

sdk/identity/test-resources.bicep

@@ -1,6 +1,12 @@
 @description('The client OID to grant access to test resources.')
 param testApplicationOid string
 
+@description('The client ID to grant access to test resources.')
+param testApplicationId string
+
+@description('The tenant ID to grant access to test resources.')
+param tenantId string
+
 @minLength(6)
 @maxLength(50)
 @description('The base resource name.')
@@ -235,7 +241,7 @@ resource newCluster 'Microsoft.ContainerService/managedClusters@2023-06-01' = {
       {
         name: 'agentpool'
         count: 1
-        vmSize: 'Standard_D2s_v3'
+        vmSize: 'Standard_D2s_v4'
         osDiskSizeGB: 128
         osDiskType: 'Managed'
         kubeletDiskType: 'OS'
@@ -268,6 +274,8 @@ resource newCluster 'Microsoft.ContainerService/managedClusters@2023-06-01' = {
   }
 }
 
+output IDENTITY_TENANT_ID string = tenantId
+output IDENTITY_CLIENT_ID string = testApplicationId
 output IDENTITY_WEBAPP_NAME string = web.name
 output IDENTITY_USER_DEFINED_IDENTITY string = usermgdid.id
 output IDENTITY_USER_DEFINED_IDENTITY_CLIENT_ID string = usermgdid.properties.clientId

sdk/identity/tests.yml

@@ -3,23 +3,8 @@ trigger: none
 extends:
   template: /eng/pipelines/templates/stages/archetype-sdk-tests.yml
   parameters:
-    PreSteps:
-      - task: AzureCLI@2
-        displayName: Set OIDC variables
-        env:
-          ARM_OIDC_TOKEN: $(ARM_OIDC_TOKEN)
-          ARM_CLIENT_ID: $(ARM_CLIENT_ID)
-          ARM_TENANT_ID: $(ARM_TENANT_ID)
-        inputs:
-          azureSubscription: azure-sdk-tests
-          scriptType: pscore
-          scriptLocation: inlineScript
-          addSpnToEnvironment: true
-          inlineScript: |
-            Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID;issecret=true]$($env:servicePrincipalId)"
-            Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID;issecret=true]$($env:tenantId)"
-            Write-Host "##vso[task.setvariable variable=ARM_OIDC_TOKEN;issecret=true]$($env:idToken)"
     TimeoutInMinutes: 120
+    PersistOidcToken: true
     AdditionalMatrixConfigs:
       - Name: identity_msi
         Path: sdk/identity/platform-matrix.json
@@ -28,10 +13,7 @@ extends:
     ServiceDirectory: identity
     CloudConfig:
       Public:
+        Location: westus2
         SubscriptionConfigurations:
           # Contains alternate tenant, AAD app and cert info for testing
           - $(sub-config-identity-test-resources)
-    EnvVars:
-      ARM_OIDC_TOKEN: $(ARM_OIDC_TOKEN)
-      ARM_CLIENT_ID: $(ARM_CLIENT_ID)
-      ARM_TENANT_ID: $(ARM_TENANT_ID)