Home /Blog/ Service Principale / Setting Up an ARM Service Connection : Introduction

Setting Up an ARM Service Connection for Azure DevOps with Workload Identity Federation

Posted 01 January 2024

By Ramy RZEM 8 min read

Introduction to Workload Identity Federation 🔐

Modern DevOps practices require seamless integration between various services and infrastructure providers. One crucial integration for Azure DevOps users is establishing a service connection to Azure Resource Manager (ARM), especially using the security-enhanced method of workload identity federation.
This article guides you through creating an ARM service connection leveraging workload identity federation.

What is and why we use Workload Identity Federation?

Say goodbye to expired Secrets and rotation! 🔑
Unleash the Power of Identity Federation in Azure DevOps 💫

Old pratic is about to create a arm service connection using service principal which create us a secret and it needs to b renewed and that's a management for an organisation.
Workload identity federation allows Azure DevOps to access Azure resources securely without the need for storing credentials in Azure DevOps. Instead, it uses federated identities, which provides a more secure and low-maintenance approach to service-to-service authentication.

Security: No need to manage or rotate secrets, reducing the risk of credentials leakage.
Maintenance: Eliminates the need for periodic secret rotation tasks.
Compliance: Meets stringent compliance requirements for identity and access management.

Prerequisites

Before you start, ensure you have the following:

An Azure subscription and Azure Entra Id.
An Azure DevOps organization.
Federation feature activated on Azure DevOps organization.
The necessary permissions to create service connections in Azure DevOps.
An Azure subscription with the required permissions to configure identity federation.

Step-by-Step Guide to Create an ARM Service Connection

On Azure DevOps verify if the Federation feature is well activated on usersetting/ preview feature on organisation level

Configure Azure AD Application.
Grant Access to the Azure Resources.
Create the ARM Service Connection in Azure DevOps.
Verify the Connection.
Implement the Service Connection in Your Pipelines.

many ways could be offered to implement federation depending if you create new ones or you have already some service connection with secrets and then you can convert it.

Implement automatic ... automatic implemntation.
Implement manual ... manual implemntation.
Convert existant service connection ... service connection convertion.
Terraform implementationof service connectionterraform implemntation..

Conclusion:

Creating an ARM service connection using workload identity federation is a forward-thinking approach that can significantly boost your project's security posture.
For detailed instructions and more information, refer to the official Microsoft documentation.