- Added some new pipeline variables to handle the Workload Identity Federation test.

Author: paulmedynski

eng/pipelines/common/templates/steps/update-config-file-step.yml

@@ -124,6 +124,10 @@ parameters:
     type: boolean
     default: true
 
+  - name: WorkloadIdentityFederationServiceConnectionId
+    type: string
+    default: ''
+
 steps:
 # All properties should be added here, and this template should be used for any manipulation of the config.json file.
 - pwsh: |
@@ -180,6 +184,7 @@ steps:
         $p.IsDNSCachingSupportedCR=[System.Convert]::ToBoolean("${{parameters.IsDNSCachingSupportedCR }}")
         $p.TracingEnabled=[System.Convert]::ToBoolean("${{parameters.TracingEnabled }}")
         $p.EnclaveEnabled=[System.Convert]::ToBoolean("${{parameters.EnclaveEnabled }}")
+        $p.WorkloadIdentityFederationServiceConnectionId="${{parameters.WorkloadIdentityFederationServiceConnectionId }}"
     }
     $jdata | ConvertTo-Json | Set-Content "config.json"
   workingDirectory: src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.TestUtilities

eng/pipelines/jobs/test-azure-package-ci-job.yml

@@ -220,11 +220,13 @@ jobs:
           # necessary here.
 
           AADServicePrincipalId: $(AADServicePrincipalId)
+          AzureKeyVaultTenantId: $(AzureKeyVaultTenantId)
           # macOS doesn't support managed identities.
           ManagedIdentitySupported: ${{ not(eq(parameters.vmImage, 'macos-latest')) }}
           SupportsIntegratedSecurity: ${{ eq(variables['SupportsIntegratedSecurity'], 'true') }}
           TCPConnectionString: $(AZURE_DB_TCP_CONN_STRING)
           UserManagedIdentityClientId: $(UserManagedIdentityClientId)
+          WorkloadIdentityFederationServiceConnectionId: $(WorkloadIdentityFederationServiceConnectionId)
           # Note: Using the isFork variable to determine if secrets are
           # available is not ideal since it's an indirect association. But
           # everything else (referencing secret variables various ways to detect

src/Microsoft.Data.SqlClient.Extensions/Azure/test/Config.cs

@@ -45,8 +45,10 @@ internal static class Config
     internal static string SystemAccessToken { get; } = string.Empty;
     internal static bool SystemAssignedManagedIdentitySupported { get; } = false;
     internal static string TcpConnectionString { get; } = string.Empty;
+    internal static string TenantId { get; } = string.Empty;
     internal static bool UseManagedSniOnWindows { get; } = false;
     internal static string UserManagedIdentityClientId { get; } = string.Empty;
+    internal static string WorkloadIdentityFederationServiceConnectionId { get; } = string.Empty;
 
     #endregion
 
@@ -58,7 +60,9 @@ internal static bool HasIntegratedSecurityConnectionString() =>
     internal static bool HasServicePrincipal() => !ServicePrincipalId.Empty() && !ServicePrincipalSecret.Empty();
     internal static bool HasSystemAccessToken() => !SystemAccessToken.Empty();
     internal static bool HasTcpConnectionString() => !TcpConnectionString.Empty();
+    internal static bool HasTenantId() => !TenantId.Empty();
     internal static bool HasUserManagedIdentityClientId() => !UserManagedIdentityClientId.Empty();
+    internal static bool HasWorkloadIdentityFederationServiceConnectionId() => !WorkloadIdentityFederationServiceConnectionId.Empty();
 
     internal static bool SupportsIntegratedSecurity() => IntegratedSecuritySupported;
     internal static bool SupportsManagedIdentity() => ManagedIdentitySupported;
@@ -110,10 +114,14 @@ static Config()
             PasswordConnectionString = GetString(root, "AADPasswordConnectionString");
             ServicePrincipalId = GetString(root, "AADServicePrincipalId");
             ServicePrincipalSecret = GetString(root, "AADServicePrincipalSecret");
-            SystemAssignedManagedIdentitySupported = GetBool(root, "SupportsSystemAssignedManagedIdentity");
+            SystemAssignedManagedIdentitySupported =
+                GetBool(root, "SupportsSystemAssignedManagedIdentity");
             TcpConnectionString = GetString(root, "TCPConnectionString");
+            TenantId = GetString(root, "AzureKeyVaultTenantId");
             UseManagedSniOnWindows = GetBool(root, "UseManagedSNIOnWindows");
             UserManagedIdentityClientId = GetString(root, "UserManagedIdentityClientId");
+            WorkloadIdentityFederationServiceConnectionId =
+                GetString(root, "WorkloadIdentityFederationServiceConnectionId");
         }
         catch (Exception ex)
         {
@@ -151,10 +159,15 @@ static Config()
                 $"  SystemAssignedManagedIdentitySupported: {SystemAssignedManagedIdentitySupported}");
             Console.WriteLine(
                 $"  TcpConnectionString:                    {TcpConnectionString}");
+            Console.WriteLine(
+                $"  TenantId:                               {TenantId}");
             Console.WriteLine(
                 $"  UseManagedSniOnWindows:                 {UseManagedSniOnWindows}");
             Console.WriteLine(
                 $"  UserManagedIdentityClientId:            {UserManagedIdentityClientId}");
+            Console.WriteLine(
+                "  WorkloadIdentityFederationServiceConnectionId: " +
+                WorkloadIdentityFederationServiceConnectionId);
         }
 
         // Apply the SNI flag, if necessary.  This must occur before any MDS

src/Microsoft.Data.SqlClient.Extensions/Azure/test/WorkloadIdentityFederationTests.cs

@@ -10,26 +10,49 @@ namespace Microsoft.Data.SqlClient.Extensions.Azure.Test;
 // Workload Identity Federation authentication.
 public class WorkloadIdentityFederationTests
 {
-    [ConditionalFact(typeof(Config), nameof(Config.HasSystemAccessToken))]
+    [ConditionalFact(
+        typeof(Config),
+        nameof(Config.HasSystemAccessToken),
+        nameof(Config.HasTenantId),
+        nameof(Config.HasUserManagedIdentityClientId),
+        nameof(Config.HasWorkloadIdentityFederationServiceConnectionId))]
     public async void GetCredential()
     {
         AzurePipelinesCredential credential = new(
             // The tenant ID if the managed identity associated to our workload
             // identity federation service connection.  See:
             //
             // https://ms.portal.azure.com/#@microsoft.onmicrosoft.com/resource/subscriptions/654fffd0-d02d-4894-b1b7-e2dfbc44a665/resourceGroups/aad-testlab-dl797892652000/providers/Microsoft.ManagedIdentity/userAssignedIdentities/dotnetMSI/properties
-            "72f988bf-86f1-41af-91ab-2d7cd011db47",
+            //
+            // Note that we need a service connection configured in each Azure DevOps project
+            // (Public and ADO.Net) that uses this tenant ID.
+            //
+            Config.TenantId,
+
             // The client ID of the managed identity associated to our workload
             // identity federation service connection.  See:
             //
             // https://ms.portal.azure.com/#@microsoft.onmicrosoft.com/resource/subscriptions/654fffd0-d02d-4894-b1b7-e2dfbc44a665/resourceGroups/aad-testlab-dl797892652000/providers/Microsoft.ManagedIdentity/userAssignedIdentities/dotnetMSI/overview 
-            "92a44a21-5265-4fdd-9537-45b1cf54aa2d",
+            //
+            Config.UserManagedIdentityClientId,
 
             // The Azure Dev Ops service connection ID (resourceId found in the
             // URL) of our workload identity federation setup.  See:
             //
+            // Note that we need a service connection configured in each Azure
+            // DevOps project (Public and ADO.Net).
+            //
+            // Public project:
+            //
             // https://sqlclientdrivers.visualstudio.com/public/_settings/adminservices?resourceId=ec9623b2-829c-497f-ae1f-7461766f9a9c
-            "ec9623b2-829c-497f-ae1f-7461766f9a9c",
+            //
+            // ADO.Net project:
+            //
+            // https://sqlclientdrivers.visualstudio.com/ADO.Net/_settings/adminservices?resourceId=c29947a8-df6a-4ceb-b2d4-1676c57c37b9
+            //
+            Config.WorkloadIdentityFederationServiceConnectionId,
+
+            // The system access token provided by Azure Pipelines.
             Config.SystemAccessToken);
 
         // Acquire a token suitable for accessing Azure SQL databases.

src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.TestUtilities/config.default.json

@@ -35,5 +35,6 @@
     "ManagedIdentitySupported": true,
     "UserManagedIdentityClientId": "",
     "PowerShellPath": "",
-    "AliasName": ""
+    "AliasName": "",
+    "WorkloadIdentityFederationServiceConnectionId": ""
 }