Microsoft Entra Workload ID not supported (update packer plugin)

[donk-msft]

Description

Issue based on suggestion from Januari 2024 to solicit a response from team.

Lack of support for Microsoft Entra Workload ID is blocking conversion of our service connections.

Platforms affected

• Azure DevOps
• GitHub Actions - Standard Runners
• GitHub Actions - Larger Runners

Runner images affected

• Ubuntu 20.04
• Ubuntu 22.04
• Ubuntu 24.04
• macOS 12
• macOS 13
• macOS 13 Arm64
• macOS 14
• macOS 14 Arm64
• Windows Server 2019
• Windows Server 2022

Image version and build link

20240901.1.0

Is it regression?

No

Expected behavior

GenerateResourcesAndImage.ps1 runs successfully when used in a pipeline within the context of a WIF based service connection.

Actual behavior

Pipeline fails with following error:
==> Some builds didn't complete successfully and had errors:
--> azure-arm.build_image: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '***'.

Repro steps

1. Create working pipeline based on service connection (SPN/Secret)
2. Modify pipeline to use service connection based on WIF

[RaviAkshintala]

@donk-msft Thank you for bringing this issue to us. We are looking into this issue and will update you on this issue after investigating.

[v1adev]

Setting the use_azure_cli_auth option for the Azure ARM builder to true would simplify the authentication quite a bit. Running packer build from within an authenticated Azure CLI session would simply work without specifying any additional auth-related parameters.