ESRP federated credential update (move to AME) (#3261)

Author: cheenamalhotra

eng/pipelines/akv-official-pipeline.yml

@@ -133,12 +133,12 @@ extends:
                         nugetPackageVersion: '${{ variables.nugetPackageVersion }}'
                         mdsPackageVersion: '${{ variables.mdsPackageVersion }}'
                         publishSymbols: '${{ parameters.publishSymbols }}'
-                        signingAppRegistrationClientId: '$(SigningAppRegistrationClientId)'
-                        signingAppRegistrationTenantId: '$(SigningAppRegistrationTenantId)'
-                        signingAkvName: '$(SigningAkvName)'
-                        signingAuthCertName: '$(SigningAuthCertName)'
-                        signingConnectedServiceName: '$(SigningConnectedServiceName)'
-                        signingSignCertName: '$(SigningSignCertName)'
+                        ESRPConnectedServiceName: '$(ESRPConnectedServiceName)'
+                        AppRegistrationClientId: '$(AppRegistrationClientId)'
+                        AppRegistrationTenantId: '$(AppRegistrationTenantId)'
+                        EsrpClientId: '$(EsrpClientId)'
+                        AuthAkvName: '$(AuthAkvName)'
+                        AuthSignCertName: '$(AuthSignCertName)'
                         symbolsAzureSubscription: '$(SymbolsAzureSubscription)'
                         symbolsPublishProjectName: '$(SymbolsPublishProjectName)'
                         symbolsPublishServer: '$(SymbolsPublishServer)'

eng/pipelines/common/templates/steps/esrp-code-signing-step.yml

@@ -17,6 +17,10 @@ parameters:
     type: string
     default: $(artifactDirectory)
 
+  - name: ESRPConnectedServiceName
+    type: string
+    default: $(ESRPConnectedServiceName)
+
   - name: appRegistrationClientId
     type: string
     default: $(appRegistrationClientId)
@@ -25,29 +29,42 @@ parameters:
     type: string
     default: $(appRegistrationTenantId)
 
+  - name: AuthAKVName
+    type: string
+    default: $(AuthAKVName)
+
+  - name: AuthSignCertName
+    type: string
+    default: $(AuthSignCertName)
+
+  - name: EsrpClientId
+    type: string
+    default: $(EsrpClientId)
+
 steps:
 - ${{ if eq(parameters.artifactType, 'dll') }}:
   - task: EsrpMalwareScanning@5
     displayName: 'ESRP MalwareScanning'
     inputs:
-      ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net'
+      ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}'
       AppRegistrationClientId: '${{parameters.appRegistrationClientId }}'
       AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}'
-      AuthAKVName: SqlClientDrivers
-      AuthCertName: 'ESRP-Release-Auth'
+      EsrpClientId: '${{parameters.EsrpClientId }}'
+      UseMSIAuthentication: true
       FolderPath: '${{parameters.sourceRoot }}'
       Pattern: '*.dll'
       CleanupTempStorage: 1
       VerboseLogin: 1
   - task: EsrpCodeSigning@5
     displayName: 'ESRP CodeSigning'
     inputs:
-      ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net'
+      ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}'
       AppRegistrationClientId: '${{parameters.appRegistrationClientId }}'
       AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}'
-      AuthAKVName: SqlClientDrivers
-      AuthCertName: 'ESRP-Release-Auth'
-      AuthSignCertName: 'ESRP-Release-Sign2'
+      EsrpClientId: '${{parameters.EsrpClientId }}'
+      UseMSIAuthentication: true
+      AuthAKVName: '${{parameters.AuthAKVName }}'
+      AuthSignCertName: '${{parameters.AuthSignCertName }}'
       FolderPath: '${{parameters.sourceRoot }}'
       Pattern: '*.dll'
       signConfigType: inlineSignParams
@@ -94,11 +111,11 @@ steps:
   - task: EsrpMalwareScanning@5
     displayName: 'ESRP MalwareScanning Nuget Package'
     inputs:
-      ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net'
+      ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}'
       AppRegistrationClientId: '${{parameters.appRegistrationClientId }}'
       AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}'
-      AuthAKVName: SqlClientDrivers
-      AuthCertName: 'ESRP-Release-Auth'
+      EsrpClientId: '${{parameters.EsrpClientId }}'
+      UseMSIAuthentication: true
       FolderPath: '${{parameters.artifactDirectory }}'
       Pattern: '*.*nupkg'
       CleanupTempStorage: 1
@@ -107,12 +124,13 @@ steps:
     displayName: 'ESRP CodeSigning Nuget Package'
     inputs:
       inputs:
-      ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net'
+      ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}'
       AppRegistrationClientId: '${{parameters.appRegistrationClientId }}'
       AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}'
-      AuthAKVName: SqlClientDrivers
-      AuthCertName: 'ESRP-Release-Auth'
-      AuthSignCertName: 'ESRP-Release-Sign2'
+      EsrpClientId: '${{parameters.EsrpClientId }}'
+      UseMSIAuthentication: true
+      AuthAKVName: '${{parameters.AuthAKVName }}'
+      AuthSignCertName: '${{parameters.AuthSignCertName }}'
       FolderPath: '${{parameters.artifactDirectory }}'
       Pattern: '*.*nupkg'
       signConfigType: inlineSignParams

eng/pipelines/jobs/build-akv-official-job.yml

@@ -26,22 +26,22 @@ parameters:
     - name: publishSymbols
       type: boolean
 
-    - name: signingAppRegistrationClientId
+    - name: ESRPConnectedServiceName
       type: string
 
-    - name: signingAppRegistrationTenantId
+    - name: AppRegistrationClientId
       type: string
 
-    - name: signingAkvName
+    - name: AppRegistrationTenantId
       type: string
 
-    - name: signingAuthCertName
+    - name: EsrpClientId
       type: string
 
-    - name: signingConnectedServiceName
+    - name: AuthAkvName
       type: string
 
-    - name: signingSignCertName
+    - name: AuthSignCertName
       type: string
 
     - name: symbolsAzureSubscription
@@ -108,13 +108,13 @@ jobs:
 
           - template: ../steps/compound-esrp-code-signing-step.yml@self
             parameters:
-                akvName: '${{ parameters.signingAkvName }}'
-                appRegistrationClientId: '${{ parameters.signingAppRegistrationClientId }}'
-                appRegistrationTenantId: '${{ parameters.signingAppRegistrationTenantId }}'
+                ESRPConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}'
+                appRegistrationClientId: '${{ parameters.AppRegistrationClientId }}'
+                appRegistrationTenantId: '${{ parameters.AppRegistrationTenantId }}'
+                EsrpClientId: '${{ parameters.EsrpClientId }}'
+                AuthAkvName: '${{ parameters.AuthAkvName }}'
+                AuthSignCertName: '${{ parameters.AuthSignCertName }}'
                 artifactType: 'dll'
-                authCertName: '${{ parameters.signingAuthCertName }}'
-                connectedServiceName: '${{ parameters.signingConnectedServiceName }}'
-                signingCertName: '${{ parameters.signingSignCertName }}'
 
           - template: ../steps/compound-nuget-pack-step.yml@self
             parameters:
@@ -127,13 +127,13 @@ jobs:
 
           - template: ../steps/compound-esrp-code-signing-step.yml@self
             parameters:
-                akvName: '${{ parameters.signingAkvName }}'
-                appRegistrationClientId: '${{ parameters.signingAppRegistrationClientId }}'
-                appRegistrationTenantId: '${{ parameters.signingAppRegistrationTenantId }}'
+                ESRPConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}'
+                appRegistrationClientId: '${{ parameters.AppRegistrationClientId }}'
+                appRegistrationTenantId: '${{ parameters.AppRegistrationTenantId }}'
+                EsrpClientId: '${{ parameters.EsrpClientId }}'
+                AuthAkvName: '${{ parameters.AuthAkvName }}'
+                AuthSignCertName: '${{ parameters.AuthSignCertName }}'
                 artifactType: 'pkg'
-                authCertName: '${{ parameters.signingAuthCertName }}'
-                connectedServiceName: '${{ parameters.signingConnectedServiceName }}'
-                signingCertName: '${{ parameters.signingSignCertName }}'
 
           - ${{ if parameters.publishSymbols }}:
             - template: ../steps/compound-publish-symbols-step.yml@self

eng/pipelines/libraries/common-variables.yml

@@ -5,6 +5,14 @@
 #################################################################################
 
 variables:
+  - group: ESRP Federated Creds (AME)
+    # ESRPConnectedServiceName
+    # ESRPClientId
+    # AppRegistrationClientId
+    # AppRegistrationTenantId
+    # AuthAKVName
+    # AuthSignCertName
+
   - name: Configuration
     value: Release
   - name: CommitHead
@@ -17,7 +25,3 @@ variables:
     value: $(REPOROOT)/symbols
   - name: artifactDirectory
     value: '$(REPOROOT)/packages'
-  - name: appRegistrationClientId
-    value: 'a0d18a38-fde1-4ba7-92e1-15be16cb6a8e'
-  - name: appRegistrationTenantId
-    value: '72f988bf-86f1-41af-91ab-2d7cd011db47'

eng/pipelines/steps/compound-esrp-code-signing-step.yml

@@ -5,9 +5,7 @@
 #################################################################################
 
 parameters:
-    - # Name of the Azure Key Vault to retrieve certificates from.
-      # note: This has nothing to do with the AKV provider package.
-      name: akvName
+    - name: ESRPConnectedServiceName
       type: string
 
     - name: appRegistrationClientId
@@ -16,45 +14,47 @@ parameters:
     - name: appRegistrationTenantId
       type: string
 
-    - name: artifactType
+    - name: EsrpClientId
       type: string
-      values:
-          - dll
-          - pkg
 
-    - name: authCertName
+    - # Name of the Azure Key Vault to retrieve ESRP Code Signing certificate from.
+      name: AuthAkvName
       type: string
 
-    - name: connectedServiceName
+    - name: authSignCertName
       type: string
 
-    - name: signingCertName
+    - name: artifactType
       type: string
+      values:
+          - dll
+          - pkg
 
 steps:
     - ${{ if eq(parameters.artifactType, 'dll') }}:
         - task: EsrpMalwareScanning@5
           displayName: 'ESRP Malware Scanning Code'
           inputs:
+              ConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}'
               AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
               AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
+              EsrpClientId: '${{ parameters.EsrpClientId }}'
+              UseMSIAuthentication: true
               CleanupTempStorage: 1
-              ConnectedServiceName: '${{ parameters.connectedServiceName }}'
-              AuthAKVName: '${{ parameters.akvName }}'
-              AuthCertName: '${{ parameters.authCertName }}'
               FolderPath: '$(BUILD_OUTPUT)'
               Pattern: '*.dll'
               VerboseLogin: 1
 
         - task: EsrpCodeSigning@5
           displayName: 'ESRP Signing Code'
           inputs:
+              ConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}'
               AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
               AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
+              EsrpClientId: '${{ parameters.EsrpClientId }}'
+              UseMSIAuthentication: true
               AuthAKVName: '${{ parameters.akvName }}'
-              AuthCertName: '${{ parameters.authCertName }}'
-              AuthSignCertName: '${{ parameters.signingCertName }}'
-              ConnectedServiceName: '${{ parameters.connectedServiceName }}'
+              AuthSignCertName: '${{ parameters.AuthSignCertName }}'
               FolderPath: '$(BUILD_OUTPUT)'
               Pattern: '*.dll'
               signConfigType: 'inlineSignParams'
@@ -102,25 +102,26 @@ steps:
         - task: EsrpMalwareScanning@5
           displayName: 'ESRP Malware Scanning NuGet Package'
           inputs:
+              ConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}'
               AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
               AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
+              EsrpClientId: '${{ parameters.EsrpClientId }}'
+              UseMSIAuthentication: true
               CleanupTempStorage: 1
-              ConnectedServiceName: '${{ parameters.connectedServiceName }}'
-              AuthAKVName: '${{ parameters.akvName }}'
-              AuthCertName: '${{ parameters.authCertName }}'
               FolderPath: '$(ARTIFACT_PATH)'
               Pattern: '*.*nupkg'
               VerboseLogin: 1
 
         - task: EsrpCodeSigning@5
           displayName: 'ESRP Signing NuGet Package'
           inputs:
+            ConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}'
             AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
             AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
+            EsrpClientId: '${{ parameters.EsrpClientId }}'
+            UseMSIAuthentication: true
             AuthAKVName: '${{ parameters.akvName }}'
-            AuthCertName: '${{ parameters.authCertName }}'
-            AuthSignCertName: '${{ parameters.signingCertName }}'
-            ConnectedServiceName: '${{ parameters.connectedServiceName }}'
+            AuthSignCertName: '${{ parameters.AuthSignCertName }}'
             FolderPath: '$(ARTIFACT_PATH)'
             Pattern: '*.*nupkg'
             signConfigType: 'inlineSignParams'

eng/pipelines/variables/akv-official-variables.yml

@@ -7,13 +7,8 @@
 # @TODO: These seem to only really apply to official builds. Name should probably be adjusted to match.
 
 variables:
+      # @TODO: Rename to something more appropriate for symbols
     - group: 'akv-variables-v2'
-      # SigningAppRegistrationClientId
-      # SigningAppRegistrationTenantId
-      # SigningAkvName
-      # SigningAuthCertName
-      # SigningConnectedServiceName
-      # SigningSignCertName
       # SymbolsAzureSubscription
       # SymbolsPublishProjectName
       # SymbolsPublishServer