From b063cdee1b71a851b2759ff0a66c9216984bd685 Mon Sep 17 00:00:00 2001
From: Azure SDK Bot <53356347+azure-sdk@users.noreply.github.com>
Date: Mon, 15 Apr 2024 16:06:50 -0700
Subject: [PATCH] Use WIF to connect storage container (#5525)

Moving away from SAS tokens for connecting to storage so switching to using a Workload Identity Federation connection to the container to download the needed files.

Co-authored-by: Wes Haggard <weshaggard@users.noreply.github.com>
---
 .../pipelines/templates/steps/policheck.yml    | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/eng/common/pipelines/templates/steps/policheck.yml b/eng/common/pipelines/templates/steps/policheck.yml
index 5ef30187e..199af7972 100644
--- a/eng/common/pipelines/templates/steps/policheck.yml
+++ b/eng/common/pipelines/templates/steps/policheck.yml
@@ -2,14 +2,20 @@ parameters:
   ExclusionDataBaseFileName: ''
   TargetDirectory: ''
   PublishAnalysisLogs: false
-  PoliCheckBlobSAS: "$(azuresdk-policheck-blob-SAS)"
   ExclusionFilePath: "$(Build.SourcesDirectory)/eng/guardian-tools/policheck/PolicheckExclusions.xml"
 
 steps:
-  - pwsh: |
-      azcopy copy "https://azuresdkartifacts.blob.core.windows.net/policheck/${{ parameters.ExclusionDataBaseFileName }}.mdb?${{ parameters.PoliCheckBlobSAS }}" `
-      "$(Build.BinariesDirectory)"
-    displayName: 'Download PoliCheck Exclusion Database'
+ - task: AzurePowerShell@5
+    displayName: 'Download Policheck Exclusion Database'
+    inputs:
+      azureSubscription: 'Azure SDK Artifacts'
+      ScriptType: 'InlineScript'
+      azurePowerShellVersion: LatestVersion 
+      pwsh: true
+      Inline: |
+        azcopy copy "https://azuresdkartifacts.blob.core.windows.net/policheck/${{ parameters.ExclusionDataBaseFileName }}.mdb" "$(Build.BinariesDirectory)"
+    env: 
+      AZCOPY_AUTO_LOGIN_TYPE: 'PSCRED'
 
   - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2
     displayName: 'Run PoliCheck'
@@ -33,4 +39,4 @@ steps:
 
   - ${{ if eq(parameters.PublishAnalysisLogs, 'true') }}:
     - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
-      displayName: 'Publish Security Analysis Logs'
\ No newline at end of file
+      displayName: 'Publish Security Analysis Logs'