Background
In order to build images with internal versions of .NET, we need to access to two resources at once:
- Storage account containing internal .NET versions
- The staging container registry
This isn't normally a problem since we use service connections backed by managed identities. Managed identities can have access to more than one resource. However, this isn't the case if the two resources are in different Azure tenants. One managed identity can't have permission to resources across different tenants. So, this necessitates using multiple service connections.
Possible approach
We can do this using AzurePipelinesCredential. If the pipeline has authorization to multiple service connections, then AzurePipelinesCredential can use the System.AccessToken (from the pipeline) to get Credentials for a specific service connection by specifying the clientId and serviceConnectionId.
Background
In order to build images with internal versions of .NET, we need to access to two resources at once:
This isn't normally a problem since we use service connections backed by managed identities. Managed identities can have access to more than one resource. However, this isn't the case if the two resources are in different Azure tenants. One managed identity can't have permission to resources across different tenants. So, this necessitates using multiple service connections.
Possible approach
We can do this using AzurePipelinesCredential. If the pipeline has authorization to multiple service connections, then AzurePipelinesCredential can use the System.AccessToken (from the pipeline) to get Credentials for a specific service connection by specifying the
clientIdandserviceConnectionId.