The Azure DevOps provider supports service principals through a variety of authentication methods, including workload identity federation from any OIDC compliant token issuer.
Create a service principal in Azure portal or using Azure PowerShell. Ignore steps about application roles and certificates.
Configure your app registration to trust your identity provider.
Add the service principal to your Azure DevOps Organization.
The use_oidc
must be set to true
to use OIDC token.
The provider will need the Directory (tenant) ID and the Application (client) ID from the Azure AD app registration. They may be provided via the ARM_TENANT_ID
and ARM_CLIENT_ID
environment variables, or in the provider configuration block with the tenant_id
and client_id
attributes.
The token may be provided as a base64 encoded string, or by a file on the filesystem with the ARM_OIDC_TOKEN
or ARM_OIDC_TOKEN_FILE_PATH
environment variables, or in the provider configuration block with the oidc_token
or oidc_token_file_path
attributes.
When running Terraform in GitHub Actions, the provider will detect the ACTIONS_ID_TOKEN_REQUEST_URL
and ACTIONS_ID_TOKEN_REQUEST_TOKEN
environment variables set by the GitHub Actions runtime. You can also specify the ARM_OIDC_REQUEST_TOKEN
and ARM_OIDC_REQUEST_URL
environment variables.
For GitHub Actions workflows, you'll need to ensure the workflow has write
permissions for the id-token
.
permissions:
id-token: write
For more information about OIDC in GitHub Actions, see official documentation.
terraform {
required_providers {
azuredevops = {
source = "microsoft/azuredevops"
version = ">=0.1.0"
}
}
}
provider "azuredevops" {
org_service_url = "https://dev.azure.com/my-org"
client_id = "00000000-0000-0000-0000-000000000001"
tenant_id = "00000000-0000-0000-0000-000000000001"
oidc_token_file_path = "C:\\my_oidc_token.txt"
use_oidc = true
}
resource "azuredevops_project" "project" {
name = "Test Project"
description = "Test Project Description"
}
terraform {
required_providers {
azuredevops = {
source = "microsoft/azuredevops"
version = ">=0.1.0"
}
}
}
provider "azuredevops" {
org_service_url = "https://dev.azure.com/my-org"
client_id = "00000000-0000-0000-0000-000000000001"
tenant_id = "00000000-0000-0000-0000-000000000001"
oidc_token = "top-secret-base64-encoded-oidc-token-string"
use_oidc = true
}
resource "azuredevops_project" "project" {
name = "Test Project"
description = "Test Project Description"
}
terraform {
required_providers {
azuredevops = {
source = "microsoft/azuredevops"
version = ">=0.1.0"
}
}
}
provider "azuredevops" {
org_service_url = "https://dev.azure.com/my-org"
client_id = "00000000-0000-0000-0000-000000000001"
tenant_id = "00000000-0000-0000-0000-000000000001"
use_oidc = true
}
resource "azuredevops_project" "project" {
name = "Test Project"
description = "Test Project Description"
}
terraform {
required_providers {
azuredevops = {
source = "microsoft/azuredevops"
version = ">=0.1.0"
}
}
}
provider "azuredevops" {
org_service_url = "https://dev.azure.com/my-org"
client_id_plan = "00000000-0000-0000-0000-000000000001"
client_id_apply = "00000000-0000-0000-0000-000000000001"
tenant_id_plan = "00000000-0000-0000-0000-000000000001"
tenant_id_apply = "00000000-0000-0000-0000-000000000001"
use_oidc = true
}
resource "azuredevops_project" "project" {
name = "Test Project"
description = "Test Project Description"
}