[rush] feature request: Azure Blob build cache AzurePipelinesCredential support

[jeremymeng]

Summary

Authenticating to Azure Services is easier and more secure with Federated Identity Credentials (FIC) through Service Connections

Azure SDK provides support for FIC with AzurePipelinesCredential from @azure/identity

https://devblogs.microsoft.com/azure-sdk/improve-security-posture-in-azure-service-connections-with-azurepipelinescredential/

It would be great to be able to use this credential in azure blob build cache.

Standard questions

Please answer these questions to help us investigate your issue more quickly:

Question	Answer
@microsoft/rush globally installed version?
rushVersion from rush.json?
useWorkspaces from rush.json?
Operating system?
Would you consider contributing a PR?
Node.js version (node -v)?

[jeremymeng]

I created a PoC PR #4866 but wonder what would be the best way to add the support so that we can use AzurePipelinesCredential in Azure DevOps pipelines.

[iclanton]

In our cloud cache population pipeline, we're using an Azure CLI task to generate a SAS and set it in a pipeline variable, and then set that pipeline variable to the RUSH_BUILD_CACHE_CREDENTIAL env var during the build (with the RUSH_BUILD_CACHE_WRITE_ALLOWED env var also set to 1).

In your proof-of-concept, I see this code:

          const serviceConnectionID = process.env.AZURESUBSCRIPTION_SERVICE_CONNECTION_ID;
          const clientID = process.env.AZURESUBSCRIPTION_CLIENT_ID;
          const tenantID = process.env.AZURESUBSCRIPTION_TENANT_ID;

Are those standard variables that got populated automatically, or are you populating those explicitly?

[jeremymeng]

Are those standard variables that got populated automatically, or are you populating those explicitly?

My understanding is that they are configured automatically within AzurePowerShell@5 or AzureCLI@2 tasks