dotnet · lbussell · May 29, 2025 · May 28, 2025 · May 28, 2025 · May 28, 2025
@@ -17,6 +17,9 @@ parameters:
 - name: stages
   type: stageList
   default: []
+- name: serviceConnections
+  type: object
+  default: []
 - name: pool
   type: object
   default:
@@ -59,4 +62,9 @@ extends:
         sourceAnalysisPool: ${{ parameters.sourceAnalysisPool }}
         tsa:
           enabled: true
-    stages: ${{ parameters.stages }}
+    stages:
+    - template: /eng/common/templates/stages/setup-service-connections.yml@self
+      parameters:
+        pool: ${{ parameters.pool }}
+        serviceConnections: ${{ parameters.serviceConnections }}
+    - ${{ parameters.stages }}
@@ -20,6 +20,9 @@ parameters:
   type: stageList
   default: []
   # 1ES Pipeline Template parameters
+- name: serviceConnections
+  type: object
+  default: []
 - name: pool
   type: object
   default:
@@ -67,4 +70,9 @@ extends:
         sourceAnalysisPool: ${{ parameters.sourceAnalysisPool }}
         tsa:
           enabled: true
-    stages: ${{ parameters.stages }}
+    stages:
+    - template: /eng/common/templates/stages/setup-service-connections.yml@self
+      parameters:
+        pool: ${{ parameters.pool }}
+        serviceConnections: ${{ parameters.serviceConnections }}
+    - ${{ parameters.stages }}
@@ -65,10 +65,14 @@ jobs:
     parameters:
       name: BuildImages
       displayName: Build Images
-      serviceConnection: $(build.serviceConnectionName)
+      serviceConnections:
+      - name: acr
+        id: $(build.serviceConnection.id)
+        tenantId: $(build.serviceConnection.tenantId)
+        clientId: $(build.serviceConnection.clientId)
       internalProjectName: ${{ parameters.internalProjectName }}
       dockerClientOS: ${{ parameters.dockerClientOS }}
-      args: >
+      args: >-
         build
         --manifest $(manifest)
         $(imageBuilderPaths)

@@ -24,7 +24,10 @@ jobs:
     additionalOptions: ${{ parameters.additionalOptions }}
     acr:
       server: $(acr-staging.server)
-      serviceConnection: $(internal-mirror.serviceConnectionName)
+      serviceConnection:
+        tenantId: $(internal-mirror.serviceConnection.tenantId)
+        clientId: $(internal-mirror.serviceConnection.clientId)
+        id: $(internal-mirror.serviceConnection.id)
       subscription: $(acr-staging.subscription)
       resourceGroup: $(acr-staging.resourceGroup)
     repoPrefix: $(mirrorRepoPrefix)
@@ -61,6 +61,10 @@ jobs:
     parameters:
       name: matrix
       displayName: Generate ${{ parameters.matrixType }} Matrix
-      serviceConnection: $(build.serviceConnectionName)
+      serviceConnections:
+      - name: acr
+        tenantId: $(build.serviceConnection.tenantId)
+        clientId: $(build.serviceConnection.clientId)
+        id: $(build.serviceConnection.id)
       internalProjectName: internal
       args: $(generateBuildMatrixCommand)
@@ -13,7 +13,7 @@ jobs:
 
   variables:
   - name: imageBuilder.commonCmdArgs
-    value: >
+    value: >-
       --manifest '$(manifest)'
       --registry-override '$(acr.server)'
       $(manifestVariables)
@@ -75,9 +75,13 @@ jobs:
   - template: /eng/common/templates/steps/run-imagebuilder.yml@self
     parameters:
       displayName: Copy Images
-      serviceConnection: $(publish.serviceConnectionName)
+      serviceConnections:
+      - name: acr
+        id: $(publish.serviceConnection.id)
+        tenantId: $(publish.serviceConnection.tenantId)
+        clientId: $(publish.serviceConnection.clientId)
       internalProjectName: ${{ parameters.internalProjectName }}
-      args: >
+      args: >-
         copyAcrImages
         '$(acr.subscription)'
         '$(acr.resourceGroup)'
@@ -94,10 +98,14 @@ jobs:
   - template: /eng/common/templates/steps/run-imagebuilder.yml@self
     parameters:
       displayName: Publish Manifest
-      serviceConnection: $(publish.serviceConnectionName)
+      serviceConnections:
+      - name: acr
+        id: $(publish.serviceConnection.id)
+        tenantId: $(publish.serviceConnection.tenantId)
+        clientId: $(publish.serviceConnection.clientId)
       internalProjectName: ${{ parameters.internalProjectName }}
       dockerClientOS: ${{ parameters.dockerClientOS }}
-      args: >
+      args: >-
         publishManifest
         '$(imageInfoContainerDir)/image-info.json'
         --repo-prefix '$(publishRepoPrefix)'
@@ -152,10 +160,14 @@ jobs:
   - template: /eng/common/templates/steps/run-imagebuilder.yml@self
     parameters:
       displayName: Ingest Kusto Image Info
-      serviceConnection: $(kusto.serviceConnectionName)
+      serviceConnections:
+      - name: kusto
+        id: $(kusto.serviceConnection.id)
+        tenantId: $(kusto.serviceConnection.tenantId)
+        clientId: $(kusto.serviceConnection.clientId)
       internalProjectName: ${{ parameters.internalProjectName }}
       condition: and(succeeded(), eq(variables['ingestKustoImageInfo'], 'true'))
-      args: >
+      args: >-
         ingestKustoImageInfo
         '$(imageInfoContainerDir)/image-info.json'
         '$(kusto.cluster)'
@@ -170,10 +182,14 @@ jobs:
   - template: /eng/common/templates/steps/run-imagebuilder.yml@self
     parameters:
       displayName: Generate EOL Annotation Data
-      serviceConnection: $(publish.serviceConnectionName)
+      serviceConnections:
+      - name: acr
+        id: $(publish.serviceConnection.id)
+        tenantId: $(publish.serviceConnection.tenantId)
+        clientId: $(publish.serviceConnection.clientId)
       internalProjectName: internal
       condition: and(succeeded(), eq(variables['publishEolAnnotations'], 'true'))
-      args: >
+      args: >-
         generateEolAnnotationData
         '$(artifactsPath)/eol-annotation-data/eol-annotation-data.json'
         '$(imageInfoContainerDir)/full-image-info-orig.json'

@@ -49,6 +49,7 @@ parameters:
 stages:
 - stage: Build
   condition: and(succeeded(), contains(variables['stages'], 'build'))
+  dependsOn: []
   jobs:
   - template: /eng/common/templates/jobs/test-images-linux-client.yml@self
     parameters:

@@ -0,0 +1,34 @@
+# This stage exists to tell Azure DevOps about all of the service connections
+# that will be used in the pipeline. A service connection will not work unless
+# it is declared in this stage's parameters, even if your pipeline has already
+# been granted access to the service connection. This stage also does not need
+# to complete before the service connection is used.
+parameters:
+- name: pool
+  type: object
+# serviceConnections object shape:
+# - name: string
+- name: serviceConnections
+  type: object
+  default: []
+
+stages:
+
+- stage: SetupServiceConnectionsStage
+  displayName: Setup service connections
+  jobs:
+
+  - job: SetupServiceConnectionsJob
+    displayName: Setup service connections
+    pool: ${{ parameters.pool }}
+    steps:
+
+    - ${{ each serviceConnection in parameters.serviceConnections }}:
+      - task: AzureCLI@2
+        displayName: Setup ${{ serviceConnection.name }}
+        inputs:
+          azureSubscription: ${{ serviceConnection.name }}
+          scriptType: pscore
+          scriptLocation: inlineScript
+          inlineScript: |
+            az account show
@@ -7,10 +7,14 @@ steps:
     parameters:
       name: AnnotateEOLImages
       displayName: Annotate EOL Images
-      serviceConnection: $(publish.serviceConnectionName)
+      serviceConnections:
+      - name: acr
+        id: $(publish.serviceConnection.id)
+        tenantId: $(publish.serviceConnection.tenantId)
+        clientId: $(publish.serviceConnection.clientId)
       internalProjectName: internal
       condition: and(succeeded(), eq(variables['publishEolAnnotations'], 'true'))
-      args: >
+      args: >-
         annotateEolDigests
         ${{ parameters.dataFile }}
         $(acr.server)
@@ -28,9 +32,13 @@ steps:
   - template: /eng/common/templates/steps/run-imagebuilder.yml@self
     parameters:
       displayName: Wait for Annotation Ingestion
-      serviceConnection: $(marStatus.serviceConnectionName)
+      serviceConnections:
+      - name: mar
+        id: $(marStatus.serviceConnection.id)
+        tenantId: $(marStatus.serviceConnection.tenantId)
+        clientId: $(marStatus.serviceConnection.clientId)
       internalProjectName: internal
       condition: and(succeeded(), eq(variables['publishEolAnnotations'], 'true'))
-      args: >
+      args: >-
         waitForMarAnnotationIngestion
         $(artifactsPath)/annotation-digests/annotation-digests.txt
@@ -11,9 +11,13 @@ steps:
   - template: /eng/common/templates/steps/run-imagebuilder.yml@self
     parameters:
       displayName: Clean ACR Images - ${{ parameters.repo }}
-      serviceConnection: $(clean.serviceConnectionName)
+      serviceConnections:
+      - name: acr
+        id: $(clean.serviceConnection.id)
+        tenantId: $(clean.serviceConnection.tenantId)
+        clientId: $(clean.serviceConnection.clientId)
       internalProjectName: ${{ parameters.internalProjectName }}
-      args: >
+      args: >-
         cleanAcrImages
         ${{ parameters.repo }}
         ${{ parameters.subscription }}

@@ -3,7 +3,10 @@ parameters:
   type: object
   default:
     server: ""
-    serviceConnection: ""
+    serviceConnection:
+      tenantId: ""
+      clientId: ""
+      id: ""
     subscription: ""
     resourceGroup: ""
 - name: repoPrefix
@@ -25,13 +28,17 @@ steps:
 - template: /eng/common/templates/steps/run-imagebuilder.yml@self
   parameters:
     displayName: Copy Base Images
-    serviceConnection: ${{ parameters.acr.serviceConnection }}
+    serviceConnections:
+    - name: "acr"
+      tenantId: ${{ parameters.acr.serviceConnection.tenantId }}
+      clientId: ${{ parameters.acr.serviceConnection.clientId }}
+      id: ${{ parameters.acr.serviceConnection.id }}
     continueOnError: ${{ parameters.continueOnError }}
     internalProjectName: 'internal'
     # Use environment variable to reference $(dryRunArg). Since $(dryRunArg) might be undefined,
     # PowerShell will treat the Azure Pipelines variable macro syntax as a command and throw an
     # error
-    args: >
+    args: >-
       copyBaseImages
       '${{ parameters.acr.subscription }}'
       '${{ parameters.acr.resourceGroup }}'

@@ -24,26 +24,27 @@ steps:
   # Setup Image Builder (Optional)
   ################################################################################
 - ${{ if eq(parameters.setupImageBuilder, 'true') }}:
+
   - script: $(engCommonPath)/pull-image.sh $(imageNames.imageBuilder)
     displayName: Pull Image Builder
     condition: and(succeeded(), ${{ parameters.condition }})
-  - script: >
+
+  - script: >-
       docker build
       -t $(imageNames.imageBuilder.withrepo)
       --build-arg IMAGE=$(imageNames.imageBuilder)
       -f $(engCommonPath)/Dockerfile.WithRepo .
     displayName: Build Image for Image Builder
     condition: and(succeeded(), ${{ parameters.condition }})
+
   - task: PowerShell@2
     displayName: Define ImageBuilder Command Variables
     condition: and(succeeded(), ${{ parameters.condition }})
     inputs:
       targetType: 'inline'
       script: |
-        $tokenHostPath = '$(Agent.TempDirectory)'
-        $tokenHostFilePath = "${tokenHostPath}/token"
-        $tokenContainerPath = "/tmp"
-        $tokenContainerFilePath = "${tokenContainerPath}/token"
+        $imageBuilderImageName = "$(imageNames.imageBuilder.withrepo)"
+        Write-Host "##vso[task.setvariable variable=imageBuilderImageName]$imageBuilderImageName"
 
         $dockerRunBaseCmd = @(
           "docker run --rm"
@@ -58,10 +59,8 @@ steps:
         )
 
         $authedDockerRunArgs = @(
-          '-e AZURE_TENANT_ID=$env:tenantId'
-          '-e AZURE_CLIENT_ID=$env:servicePrincipalId'
-          "-e AZURE_FEDERATED_TOKEN_FILE=$tokenContainerFilePath"
-          "-v ${tokenHostPath}:${tokenContainerPath}"
+          '-e SYSTEM_ACCESSTOKEN=$(System.AccessToken)'
+          '-e SYSTEM_OIDCREQUESTURI=$(System.OidcRequestUri)'
         )
 
         $dockerRunCmd = $dockerRunBaseCmd + $dockerRunArgs
@@ -72,7 +71,6 @@ steps:
 
         Write-Host "##vso[task.setvariable variable=runImageBuilderCmd]$runImageBuilderCmd"
         Write-Host "##vso[task.setvariable variable=runAuthedImageBuilderCmd]$runAuthedImageBuilderCmd"
-        Write-Host "##vso[task.setvariable variable=tokenHostFilePath]$tokenHostFilePath"
 
   ################################################################################
   # Setup Test Runner (Optional)