Documentation
¶
Overview ¶
Program tfoidc is a simple adapter that presents a GitHub Actions style OIDC token endpoint backed by an Azure DevOps service connection. It can also be used to continuously refresh the Azure CLI federated token, as the AzureCLI task would.
It requires the following environment variables to be set:
- AZURESUBSCRIPTION_SERVICE_CONNECTION_ID: the Azure DevOps service connection ID - SYSTEM_ACCESSTOKEN: the Azure DevOps system access token - SYSTEM_OIDCREQUESTURI: the Azure DevOps OIDC request URI
When the -refresh-az flag is passed, it also requires the following environment variables to be set, which should correspond to the configured Azure service connection:
- AZURESUBSCRIPTION_SUBSCRIPTION_ID: the Azure subscription ID - AZURESUBSCRIPTION_CLIENT_ID: the Azure service principal client ID - AZURESUBSCRIPTION_TENANT_ID: the Azure service principal tenant ID
The adapter listens on http://127.0.0.1:27838 and is secured by using SYSTEM_ACCESSTOKEN as a bearer token.
Configure the Azure TF provider to use this endpoint by setting the following environment variables:
ARM_USE_OIDC=true ARM_OIDC_REQUEST_URL=http://localhost:27838/oidctoken ARM_OIDC_REQUEST_TOKEN=$(System.AccessToken)
When `-refresh-az` is set, the adapter will refresh the Azure CLI federated token every 8 minutes, calling `az login` and `az account set` each time. This is useful for long-running Terraform operations that require Azure CLI authentication.
Source Files