Skip to content

Authenticate to IoT Hub using AAD in tests#7493

Open
damonbarry wants to merge 108 commits intoAzure:mainfrom
damonbarry:iothub-sss
Open

Authenticate to IoT Hub using AAD in tests#7493
damonbarry wants to merge 108 commits intoAzure:mainfrom
damonbarry:iothub-sss

Conversation

@damonbarry
Copy link
Copy Markdown
Member

@damonbarry damonbarry commented Dec 16, 2025
edited
Loading

This change updates the test apps (IotEdgeQuickstart for connectivity, Microsoft.Azure.Devices.Edge.Test for all the others) and test modules used by the test pipelines to:

  • replace Microsoft.Azure.EventHubs (deprecated, doesn't support federated credentials) with Azure.Messaging.EventHubs to read messages from Event Hub
  • update to the latest Microsoft.Azure.Devices SDK (older version doesn't support federated credentials) to communicate with IoT Hub (working with device registry, twins, edge deployments)

In the test apps, which run on the pipeline agent VM and have access to Azure CLI credentials, we pass Azure.Identity.AzureCliCredential to the SDKs to communicate with Event Hub and IoT Hub.

In the test modules, which run in Docker containers and do not have access to Azure CLI credentials on the pipeline agent VM, but can have credentials mounted as a file, we pass Azure.Identity.WorkloadIdentityCredential to the SDKs to communicate with Event Hub and IoT Hub. In the connectivity test pipeline, which can run for longer than the lifetime of the file-mounted credentials, we use an OIDC API in DevOps to generate and refresh the mounted credential from the system access token passed into the pipeline.

This change also updates the pipeline YAML files and related scripts to support the updates to the test apps.

To test, I ran the various pipelines and confirmed they pass when local auth is disabled on the corresponding IoT hub:

  • Connectivity tests
  • End-to-end tests (still need to install Azure CLI on arm32v7 physical devices, and update the proxy agent)
  • Nested edge end-to-end tests
  • ISA-95 smoke tests

Azure IoT Edge PR checklist:

This checklist is used to make sure that common guidelines for a pull request are followed.

General Guidelines and Best Practices

  • I have read the contribution guidelines.
  • Title of the pull request is clear and informative.
  • Description of the pull request includes a concise summary of the enhancement or bug fix.

Testing Guidelines

  • Pull request includes test coverage for the included changes.
  • Description of the pull request includes
    • concise summary of tests added/modified
    • local testing done.

@damonbarry
Upgrade service SDK to support AAD auth
215d90e
@damonbarry
Upgrade service SDK dependency in LeafDevice test app
ae636ba
@damonbarry
Fix StyleCop warnings
bf9af43
@damonbarry
Invoke IotEdgeQuickstart inside AzureCLI task for AAD auth to IoT Hub
16c86fe
@damonbarry
Fix template expression in YAML
0c378b8
@damonbarry
Fix argument to connectivity-deploy.yaml
badd09b
@damonbarry
Quote values for consistency
dc6090f
@damonbarry
Fix reference to dotted template parameter
4fa0342
@damonbarry
Try an app that works from my desktop
bdb3213
@damonbarry
See if a debug build will give us a better call stack
1c6e843
@damonbarry
See Azure Identity logs
4142469
@damonbarry
Add usings to make the sample compile
0d9519a
@damonbarry
Use Azure CLI credentials to authenticate to IoT hub
8285055
@damonbarry
Use AzureCliCredential in IotEdgeQuickstart and LeafDevice
6838049
@damonbarry
Revert "Use Azure CLI credentials to authenticate to IoT hub"
4542313 
This reverts commit 8285055.
@damonbarry
Revert "Add usings to make the sample compile"
b359317 
This reverts commit 0d9519a.
@damonbarry
Revert "See Azure Identity logs"
226ec8a 
This reverts commit 4142469.
@damonbarry
Revert "See if a debug build will give us a better call stack"
6bf67f3 
This reverts commit 1c6e843.
@damonbarry
Revert "Try an app that works from my desktop"
9aa5e01 
This reverts commit bdb3213.
@damonbarry
Use AAD auth in test modules for connectivity
b74f6a3
@damonbarry
Use EnvironmentCredential instead of AzureCliCredential
3d4e65d
@damonbarry
Add missed error handling
7843290
@damonbarry
Dump current account info
ff812d2
@damonbarry
Export variables needed by EnvironmentCredential
ee5ca65
@damonbarry
Revert "Dump current account info"
fd71d45 
This reverts commit ff812d2.
@damonbarry
Use account info from task
75ad86d
@damonbarry
Use the right variable name for the token type
6caeeee
@damonbarry
Dump some more info to the logs
0aa8c9d
@damonbarry
Revert "Dump some more info to the logs"
855e125 
This reverts commit 0aa8c9d.
@damonbarry
Use WorkloadIdentityCredential for modules
f109bf2
damonbarry and others added 30 commits April 15, 2026 16:02
@damonbarry
Simplify stderr handling
25428d5
@damonbarry
Quote input vars
8544735
@damonbarry
Collapse errors to one line
1c646e3
@damonbarry
Add Content-Length to token refresh request
5862a23
@damonbarry
Revert "Temporarily shorten two jobs for faster iteration"
3b698bb 
This reverts commit bc617ec.
@damonbarry
Update script usage function
03cd073
@damonbarry
Add comments
343934c
@damonbarry
Remove longhaul-specific logic from trcE2ETest.sh
e2141b8
@damonbarry
Removed unused artifact from template download task
1f44b32
@damonbarry
Remove deprecated script arg
7e8d19e
@damonbarry
Merge branch 'main' into iothub-sss
7b6f029
@damonbarry
Print message when token refresh loop ends
a93626d
@damonbarry
Fix result sources output in trc
809e295
@damonbarry
Also explicitly call stop_token_refresh at end of script
0098852
@damonbarry
Merge branch 'main' into iothub-sss
2622e53
@damonbarry
Also upgrade device SDK in tests to prevent shared library mismatch
bb0ea27
@damonbarry
Run network controller as root so it can access Docker socket
920fb70
@damonbarry
Merge branch 'main' into iothub-sss
e6e7f2b
@damonbarry
Start plumbing end-to-end tests for federated IoT Hub credentials
4f71371
@damonbarry
Make DPS IdScope a template parameter
5de2ec4
@damonbarry
Fix template param refs in e2e-setup.yaml
09b61cd
@damonbarry
Rename iothub.resourceid pipeline var for consistency
c6a059d
@damonbarry
Use newer Event Hubs SDK in end-to-end and integration tests
2a04c26
@damonbarry
Build trc with needed event hub vars
327f83f
@damonbarry
Move end-to-end tests invocation into AzureCLI task
3d9223b 
Co-authored-by: Copilot <copilot@github.com>
@damonbarry
Fix env in AzureCLI task
1cc0190
@damonbarry
Remove deprecated SDK reference from THIRDPARTYNOTICES
861b277
@damonbarry
Add Azure.Messaging.EventHubs to THIRDPARTYNOTICES
56247c4
@damonbarry
Fix ValidateMetrics test
386fa9e 
Co-authored-by: Copilot <copilot@github.com>
@damonbarry
Try MetricsValidate test using AMQP instead of MQTT
0cf2377 
Co-authored-by: Copilot <copilot@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@damonbarry