Merging changes synced from https://github.com/MicrosoftDocs/azure-devops-docs-pr (branch live)

Learn Build Service GitHub App · Learn Build Service GitHub App · commit 1d231a095a5c · 2024-07-05T14:26:28.000Z
diff --git a/docs/pipelines/ecosystems/containers/publish-to-acr.md b/docs/pipelines/ecosystems/containers/publish-to-acr.md
@@ -255,6 +255,26 @@ To use Managed Service Identity with Azure Pipelines to publish Docker images to
 
     :::image type="content" source="../media/acr-service-connection.png" alt-text="A screenshot showing how to set up a docker registry service connection.":::
 
+### [Workload Identity Federation](#tab/wif)
+
+1. From your project, select the gear icon ![gear icon](../../../media/icons/gear-icon.png) to navigate to your **Project settings**.
+
+1. Select **Service connections** from the left pane.
+
+1. Select **New service connection**, and then select **Docker Registry** then **Next**.
+
+1. Select **Azure Container Registry**, and then select *Workload Identity federation* as your **Authentication Type**.
+
+1. Select your **Subscription** from the dropdown menu.
+
+1. Select your **Azure container registry** from the list.
+
+1. Enter a name for your service connection.
+
+1. Select **Save** when you are done.
+
+    :::image type="content" source="../media/docker-wif-connection.png" alt-text="A screenshot showing how to set up a docker registry service connection for workload identity federation.":::
+
 * * *
 
 ## Build and publish to Azure Container Registry
diff --git a/docs/pipelines/ecosystems/containers/push-image.md b/docs/pipelines/ecosystems/containers/push-image.md
@@ -23,7 +23,9 @@ To learn how to build a container image to deploy with Azure Pipelines, see [Bui
 
 You'll use the [Docker@2 task](/azure/devops/pipelines/tasks/reference/docker-v2) to build or push Docker images, login or logout, start or stop containers, or run a Docker command.
 
-The task uses a [Docker registry service connection](../../library/service-endpoints.md#docker-registry-service-connection) to log in and push to a container registry. The process for creating a Docker registry service connection differs depending on your registry. 
+The task uses a [Docker registry service connection for Azure Container Registry](../../library/service-endpoints.md#azure-container-registry) to log in and push to a container registry. The process for creating a Docker registry service connection differs depending on your registry. 
+
+
 
 The Docker registry service connection stores credentials to the container registry before pushing the image. You can also directly reference service connections in Docker without an additional script task.   
 
@@ -35,6 +37,9 @@ You'll need to follow a different process to create a service connection for Azu
 
 With the Azure Container Registry option, the subscription (associated with the Microsoft Entra identity of the user signed into Azure DevOps) and container registry within the subscription are used to create the service connection. 
 
+> [!NOTE]
+> This service connection method uses a service principal and not workload identity federation for authentication. To learn how to use workload identity instead with Azure Container Registry, see [Manage service connections for Azure Container Registry](/azure/devops/pipelines/library/service-endpoints#azure-container-registry).
+
 When you create a new pipeline for a repository that contains a Dockerfile, Azure Pipelines will detect Dockerfile in the repository. To start this process, create a new pipeline and select the repository with your Dockerfile. 
 
 1. From the **Configure** tab, select the **Docker - Build and push an image to Azure Container Registry** task.
@@ -60,7 +65,7 @@ For a more detailed overview, see [Build and Push to Azure Container Registry do
 
 #### [Docker Hub](#tab/docker)
 
-Choose the Docker Hub option under [Docker registry service connection](../../library/service-endpoints.md#docker-registry-service-connection) and provide your username and password to create a Docker service connection.
+Choose the Docker Hub option under [Docker registry service connection](../../library/service-endpoints.md#docker-hub-or-others) and provide your username and password to create a Docker service connection.
 
 #### [Google Container Registry](#tab/google)
 
diff --git a/docs/pipelines/ecosystems/kubernetes/canary-demo.md b/docs/pipelines/ecosystems/kubernetes/canary-demo.md
@@ -62,10 +62,9 @@ helm install --name sampleapp  prometheus-community/kube-prometheus-stack
 ## Create service connections
 
 1. Go to **Project settings** > **Pipelines** > **Service connections** in the Azure DevOps menu.
-1. Create a [Docker registry service connection](../../library/service-endpoints.md#docker-registry-service-connection) associated with your container registry. Name it **azure-pipelines-canary-k8s**.
+1. Create a [Docker registry service connection](../../library/service-endpoints.md#azure-container-registry) associated with your container registry. Name it **azure-pipelines-canary-k8s**.
 1. Create a [Kubernetes service connection](../../library/service-endpoints.md#kubernetes-service-connection) for the Kubernetes cluster and namespace you want to deploy to. Name it **azure-pipelines-canary-k8s**.
 
-
 > [!NOTE]
 > If you're using Azure Kubernetes Service, the [Azure Resource Manager service connection type](../../library/service-endpoints.md#azure-resource-manager-service-connection) is the best way to connect to a private cluster, or a cluster that has local accounts disabled.
 
@@ -374,7 +373,7 @@ You can deploy a stable version with YAML or Classic.
 For the first run of the pipeline the stable version of the workloads, and their baseline or canary versions don't exist in the cluster. To deploy the stable version:
 
 1. In *app/app.py*, change `success_rate = 5` to `success_rate = 10`. This change triggers the pipeline, leading to a build and push of the image to the container registry. It will also trigger the `DeployCanary` stage. 
-1. Because you configured an approval on the `akspromote` environment, the release will wait before running that stage. 
+1. Because you configured an approval on the `akspromote` environment, the release waits before running that stage. 
 1. In the summary of the run, select **Review** > **Approve**. This deploys the stable version of the workloads (the `sampleapp` deployment in *manifests/deployment.yml*) to the namespace.
 
 ### [Classic](#tab/classic/)
diff --git a/docs/pipelines/ecosystems/media/docker-wif-connection.png b/docs/pipelines/ecosystems/media/docker-wif-connection.png
diff --git a/docs/pipelines/library/service-endpoints.md b/docs/pipelines/library/service-endpoints.md
@@ -204,7 +204,7 @@ Once you've [created your service connection](#create-a-service-connection), com
 
 ---
 
-1. Authorize the service connection using one of the following techniques:
+2. Authorize the service connection using one of the following techniques:
 
 * To authorize any pipeline to use the service connection, go to Azure Pipelines, open the Settings page, select Service connections, and enable the setting **Allow all pipelines to use this connection** option for the connection.
 
@@ -369,18 +369,17 @@ Use the following parameters to define and secure a connection to a Docker host.
 
 For more information about protecting your connection to the Docker host, see [Protect the Docker daemon socket](https://docs.docker.com/engine/security/https/).
 
-### Docker Registry service connection
-
-Use the following parameters to define a connection to a container registry for either [Azure Container Registry](#azure-container-registry) or [Docker Hub or others](#docker-hub-or-others).
-
 #### Azure Container Registry
 
 | Parameter | Description |
 | --------- | ----------- |
+| Authentication type | Required. The options are workload identity federation, managed service identity, or service principal. |
 | Connection name | Required. The name you use to refer to the service connection in task inputs. |
 | Azure subscription | Required. The Azure subscription containing the container registry to be used for service connection creation. |
 | Azure Container Registry | Required. The Azure Container Registry to be used for creation of service connection. |
 
+There are three options for authenticating with Azure Container Registry - workload identity federation, managed service identity, or a service principal. For more information about what tasks work with workload identity federation connections, see [Troubleshoot a workload identity service connection](../release/troubleshoot-workload-identity.md).
+
 #### Docker Hub or others
 
 | Parameter | Description |
diff --git a/docs/pipelines/release/troubleshoot-workload-identity.md b/docs/pipelines/release/troubleshoot-workload-identity.md
@@ -5,7 +5,7 @@ description: Learn how to troubleshoot an Azure Resource Manager workload identi
 ms.topic: troubleshooting-general
 ms.author: jukullam
 author: juliakm
-ms.date: 02/08/2024
+ms.date: 06/07/2024
 monikerRange: '>= azure-devops'
 "recommendations": "true"
 ---
@@ -27,7 +27,7 @@ The following sections describe the issues and how to resolve them.
 
 ### Review pipeline tasks
 
-Not all pipelines tasks support workload identity. Specifically, only Azure Resource Manager service connection properties on tasks use workload identity federation. The table below lists workload identity federation support for [tasks included with Azure DevOps](/azure/devops/pipelines/tasks/reference/?view=azure-pipelines). For tasks installed from the [Marketplace](https://marketplace.visualstudio.com/search?target=AzureDevOps&category=Azure%20Pipelines&visibilityQuery=all&sortBy=Installs), contact the extension publisher for support.
+Not all pipelines tasks support workload identity. Specifically, only Azure Resource Manager service connection properties on tasks use workload identity federation. The table below lists workload identity federation support for [tasks included with Azure DevOps](/azure/devops/pipelines/tasks/reference/?view=azure-pipelines&preserve-view=true). For tasks installed from the [Marketplace](https://marketplace.visualstudio.com/search?target=AzureDevOps&category=Azure%20Pipelines&visibilityQuery=all&sortBy=Installs), contact the extension publisher for support.
 
 | Task                                     | Workload identity federation support                                                                                            |
 |------------------------------------------|---------------------------------------------------------------------------------------------------------------|
@@ -50,8 +50,8 @@ Not all pipelines tasks support workload identity. Specifically, only Azure Reso
 | AzureFunctionApp@2                       | Y |
 | AzureFunctionAppContainer@1              | Y |
 | AzureFunctionOnKubernetes@0              | Use AzureFunctionOnKubernetes@1 |
-| AzureFunctionOnKubernetes@1              | Azure service connection: Y<br/> Docker Registry service connection: 2024 Q3 <br/>[Use Azure service connection instead of Kubernetes service connection](https://devblogs.microsoft.com/devops/service-connection-guidance-for-aks-customers-using-kubernetes-tasks/) |
-| AzureIoTEdge@2                           | Azure service connection: Y<br/> Docker Registry service connection: 2024 Q3 <br/>[Use Azure service connection instead of Kubernetes service connection](https://devblogs.microsoft.com/devops/service-connection-guidance-for-aks-customers-using-kubernetes-tasks/) |
+| AzureFunctionOnKubernetes@1              | Azure service connection: Y<br/> Docker Registry service connection: Y |
+| AzureIoTEdge@2                           | Azure service connection: Y<br/> Docker Registry service connection: Y |
 | AzureKeyVault@1                          | Y |
 | AzureKeyVault@2                          | Y |
 | AzureMonitor@0                           | Use AzureMonitor@1 |
@@ -65,31 +65,32 @@ Not all pipelines tasks support workload identity. Specifically, only Azure Reso
 | AzurePowerShell@5                        | Y |
 | AzureResourceGroupDeployment@2           | Y |
 | AzureResourceManagerTemplateDeployment@3 | Y |
-| AzureRmWebAppDeployment@3                | Azure service connection: Y<br/> Docker Registry service connection: N |
+| AzureRmWebAppDeployment@3                | Azure service connection: Y<br/> Docker Registry service connection: Y |
 | AzureRmWebAppDeployment@4                | Y |
 | AzureSpringCloud@0                       | Y |
 | AzureVmssDeployment@0                    | Y |
 | AzureWebApp@1                            | Y |
 | AzureWebAppContainer@1                   | Y |
-| ContainerBuild@0                         | 2024 Q3 |
-| ContainerStructureTest@0                 | 2024 Q3 |
-| Docker@0                                 | Azure service connection: Y<br/> Docker Registry service connection: N |
-| Docker@1                                 | Azure service connection: Y<br/> Docker Registry service connection: 2024 Q3 |
-| Docker@2                                 | 2024 Q3 |
-| DockerCompose@0                          | Azure service connection: Y<br/> Docker Registry service connection: 2024 Q3 |
-| HelmDeploy@0                             | Azure service connection: Y<br/>[Use Azure service connection instead of Kubernetes service connection](https://devblogs.microsoft.com/devops/service-connection-guidance-for-aks-customers-using-kubernetes-tasks/) |
+| ContainerBuild@0                         | N |
+| ContainerStructureTest@0                 | N |
+| Docker@0                                 | Azure service connection: Y<br/> Docker Registry service connection: Y |
+| Docker@1                                 | Azure service connection: Y<br/> Docker Registry service connection: N |
+| Docker@2                                 | Y |
+| Docker@0                                 | Azure service connection: Y<br/> Docker Registry service connection: Y |
+| DockerCompose@0                          | Azure service connection: Y<br/> Docker Registry service connection: Y |
+| HelmDeploy@0                             | Azure service connection: Y |
 | InvokeRESTAPI@1                          | Y |
 | JavaToolInstaller@0                      | Y |
 | JenkinsDownloadArtifacts@1               | Y |
 | Kubernetes@0                             | Use Kubernetes@1  |
-| Kubernetes@1                             | Azure service connection: Y<br/> Docker Registry service connection: 2024 Q3 <br/>[Use Azure service connection instead of Kubernetes service connection](https://devblogs.microsoft.com/devops/service-connection-guidance-for-aks-customers-using-kubernetes-tasks/) |
+| Kubernetes@1                             | Azure service connection: Y<br/> Docker Registry service connection: Y |
 | KubernetesManifest@0                     | Use KubernetesManifest@1 |
-| KubernetesManifest@1                     | Azure service connection: Y<br/> Docker Registry service connection: 2024 Q3 <br/>[Use Azure service connection instead of Kubernetes service connection](https://devblogs.microsoft.com/devops/service-connection-guidance-for-aks-customers-using-kubernetes-tasks/) |
-| Notation@0                               | Y |
-| PackerBuild@0                            | Use PackerBuild@1 |
-| PackerBuild@1                            | Y |
-| PublishToAzureServiceBus@1               | Use PublishToAzureServiceBus@2 |
-| PublishToAzureServiceBus@2               | Y |
+| KubernetesManifest@1                     | Azure service connection: Y<br/> Docker Registry service connection: Y |
+| Notation@0                               | 2024 |
+| PackerBuild@0                            | 2024 |
+| PackerBuild@1                            | 2024 |
+| PublishToAzureServiceBus@1               | PublishToAzureServiceBus@2 will support workload identity federation |
+| PublishToAzureServiceBus@2               | 2024 Q2 |
 | ServiceFabricComposeDeploy@0             | N |
 | ServiceFabricDeploy@1                    | N |
 | SqlAzureDacpacDeployment@1               | Y |
