To create Azure Service Connection for ARM with certificate you need to include PEM certificate with Bag attributes.
When you create RSA key pair BAG attributes are omitted, as BAG attributes are typically only included if the key pair was of type PKCS#12
include BAG attributes when creating the PEM file for Azure Devops Service Connection
Why should you use certificate credential over password credential? (From Azure Secure DevOps Kit)
Rationale: Password/shared secret credentials can be easily shared and hence can be easily compromised. Certificate credentials offer better security.
Description Azure Active Directory applications, which used in pipeline, must use certificate based authentication.
Error messages you may counter with adding SPN with cert
You encounter this if you have not uploaded the correct Public Key for the App registration _[Reason - The key was not found., Thumbprint of key used by client
Failed to obtain the Json Web Token(JWT) using service principal client ID. Exception message: Cannot find the requested object.
Failed to obtain the Json Web Token(JWT) using service principal client ID. Exception message: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
Correct type certificate
I’ve created an previous example which creates the correct type certificate, but you could do similar version with following commands (change the subj to match something you use)
- I didn’t found handy command to include the BAG attributes without first going through ”pkcs12” pass-trough, as it appends the BAG attributes for the file.
openssl genrsa -out private1.pem 2048 openssl req -new -x509 -key private1.pem -out public1.pem -days 720 -subj "/C=FI/CN=spnforaad.localdom/OU=IT Department/" openssl pkcs12 -inkey private1.pem -in public1.pem -export -out pack.pfx -passout "pass:mypass" openssl pkcs12 -in pack.pfx -passin "pass:mypass" -out "PemWithBagAttributes.pem" -nodes
Upload the public key to Azure AD
You can follow previous guide I’ve written here. If you used openssl commands above, use the public key ”public1.pem” in upload dialog for Azure AD app
It’s recommended to test the token retrieval locally before proceeding to next phase
Create service connection (GUI)
Before doing the service connection you need to assign the SPN to appropriate subscription and role.
Paste contents of ” PemWithBagAttributes.pem” to certificate selection
Create service connection (AZ CLI with powershell)
az devops login --org https://dev.azure.com/yourOrganization az devops service-endpoint azurerm create ` --azure-rm-service-principal-certificate-path C:\git\aadClientCredWithCert\PemWithBagAttributes.pem ` --azure-rm-tenant-id "46d2c4e6-a732-4fb4-b9f8-374af03f3f58" ` --azure-rm-subscription-id "MYGUIDID" ` --azure-rm-service-principal-id "010ef950-c02b-47d8-87a1-cbc6de2145b9" ` --name "CertConnection" ` --azure-rm-subscription-name "MySub" ` --project "MyProject"
Create an Azure Resource Manager service connection using automated security
- This option unfortunately uses the password credential option by default
- The SPN can also be Managed Identity, but last time I checked it required the agent to be on a VM.