Add support for access-token under --azure-credential-type, to allow for cross tenant auth. #912
Description
Is your feature request related to a problem? Please describe.
Looking to provide cross tenant access to trusted signing accounts, using Managed Identity and Federated Credentials in a separate tenant and subscription to Trusted Signing Account using an App Registration in the tenant with the Managed Identity and an Enterprise App in the tenant with the trusted signing account.
Tried using Azure Powershell to authenticate with -AccessToken for Connect-AzAccount set. But the Get-AzAccessToken fails for https://codesigning.azure.net/ as the AccessToken connected for the subscription can't retrieve a second access token.
[AccessTokenAuthenticator] failed to retrieve
access token for resource 'https://codesigning.azure.net';. Please ensure that you have provided the appropriate access tokens when using access token login.x001B[0m_x000D__x000A_</Ob
js>
at Azure.Identity.AzurePowerShellCredential.RequestAzurePowerShellAccessTokenAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.AzurePowerShellCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
at Azure.Identity.AzurePowerShellCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.AzurePowerShellCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.SetResultOnTcsFromCredentialAsync(TokenRequestContext context, TaskCompletionSource1 targetTcs, Boolean asyn c, CancellationToken cancellationToken) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetAuthHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.TokenRequestState.GetCurrentHeaderValue(Boolean async, Boolean checkForCompletion, CancellationToken cancella tionToken) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetAuthHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequestAsync(HttpMessage message, TokenRequestContext context) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async)
at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async)
at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.CodeSigning.CertificateProfileRestClient.GetSignCertificateChainAsync(String codeSigningAccountName, String certificateProfileName, CancellationToken cancellationToken) at Azure.CodeSigning.CertificateProfileClient.GetSignCertificateChainAsync(String codeSigningAccountName, String certificateProfileName, CancellationToken cancellationToken) at Sign.SignatureProviders.TrustedSigning.TrustedSigningService.GetCertificateAsync(CancellationToken cancellationToken) in /_/src/Sign.SignatureProviders.TrustedSigning/TrustedSign ingService.cs:line 65 at Sign.Core.Signer.SignAsync(IReadOnlyList1 inputFiles, String outputFile, FileInfo fileList, Boolean recurseContainers, DirectoryInfo baseDirectory, String applicationName, Strin
g publisherName, String description, Uri descriptionUrl, Uri timestampUrl, Int32 maxConcurrency, HashAlgorithmName fileHashAlgorithm, HashAlgorithmName timestampHashAlgorithm) in /_/src/Sign
.Core/Signer.cs:line 79
Describe the solution you'd like
sign code trusted-signing should provide an option for access-token under -act and am access token that could be retrieved using Invoke-RestMethod.. When specified the default Get-AzAccessToken would be bypassed.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
sign --version
0.9.1-beta.25330.2+dc01dca32471b368ad640358778e172d1bd249f9