3.1.6.1. Pipeline Authentication: Workload Identity and OIDC

3.1.6.1. Pipeline Authentication: Workload Identity and OIDC

Pipeline authentication determines how pipelines access Azure resources, repositories, and registries. Workload identity federation eliminates stored secrets entirely: the pipeline's OIDC token is exchanged with Azure AD at runtime — nothing to rotate or expire. For Azure DevOps, native workload identity federation on service connections replaces service principal secrets. For GitHub Actions, the azure/login action with OIDC exchanges GitHub's token for Azure access without any repository secrets. System.AccessToken represents the build service identity with limited default permissions — grant specific permissions (like "Create tag") rather than replacing with PATs that tie to user accounts. The trade-off between shared and per-pipeline service connections is management simplicity versus least privilege: shared connections have broad access (higher blast radius), while per-pipeline connections scope to specific resource groups.

Workload identity federation represents the most significant security improvement in pipeline authentication. Traditional service principal authentication stores a client secret in the pipeline — this secret must be rotated before expiry (typically 1-2 years), creates an outage if rotation is missed, and can be exfiltrated by any pipeline step that accesses environment variables.

Federated credentials eliminate stored secrets entirely. The pipeline's CI/CD platform (Azure DevOps, GitHub Actions) issues an OIDC token at runtime. Azure AD trusts the platform as an identity provider and exchanges the OIDC token for an Azure access token. Nothing is stored, nothing expires, nothing can be extracted from the pipeline definition.

For Azure DevOps, service connections support native workload identity federation — configure the service connection with tenant ID, subscription ID, and the federated credential trust. For GitHub Actions, the azure/login action accepts client-id, tenant-id, and subscription-id (none of which are secrets) and handles the OIDC exchange automatically.

System.AccessToken is the built-in authentication token for the pipeline itself, representing the build service identity. It's automatically available in every pipeline run and scoped to the current project. Default permissions are read-only; grant additional permissions (push to repository, create tags, manage feeds) through Project Settings → Repositories → Security. Never replace System.AccessToken with a PAT — PATs tie to user accounts and have broader access than necessary.

Per-pipeline service connections follow least privilege: each connection scoped to one resource group, with only the permissions that specific pipeline needs. The management overhead of multiple connections is repaid in blast radius reduction — a compromised connection affects only one resource group, not the entire subscription.

For organizations managing hundreds of pipelines, service connection governance becomes critical. Azure DevOps pipeline permissions restrict which pipelines can use each service connection — preventing a junior developer's test pipeline from deploying to production through a production service connection. Combined with environment checks, this creates layered authorization: the connection provides access, the environment check provides approval, and required templates provide process enforcement.

Managed identity authentication for Azure Repos Git operations eliminates the need for PATs in pipeline scripts that interact with Git repositories. Configure the pipeline with persistCredentials: true to use the System.AccessToken for subsequent Git operations like tagging, branching, or pushing generated files.

Managed identity token caching and refresh is handled by the Azure Identity library. The DefaultAzureCredential class tries multiple authentication methods in order — managed identity, environment variables, Azure CLI, then interactive browser — enabling the same code to work locally (CLI auth) and in production (managed identity).