Possible to use workload identity KEDA -> Azure Pipelines auth

[guidojw]

I am trying to convert a Azure Pipelines queue triggered agent pool running with KEDA to use workload identity for the Azure DevOps API communication.

So far I have configured a TriggerAuthentication with type azure-workload and added authenticationRef to the ScaledObject with an azure-pipelines trigger. When I however kubectl describe the keda-operator pod, I see the following errors:

error getting scalers cache error parsing azure Pipelines metadata: no personalAccessToken given

error parsing azure Pipelines metadata: no personalAccessToken given

, and scaling does not function correctly.

Is it possible to do this? To my knowledge you need to generate an Azure DevOps specific PAT from Azure credentials using az account get-access-token and I think KEDA may not do this.

---

Manifests:

---
apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: pipeline-trigger-auth
spec:
  podIdentity:
    provider: azure-workload
    identityId: <ID>

---
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
  name: azure-pipelines-scaledobject
spec:
  scaleTargetRef:
    name: azagent-sre-deployment
  minReplicaCount: 1
  maxReplicaCount: 5
  triggers:
  - type: azure-pipelines
    metadata:
      poolName: "SRE-AKS-POOL"
      organizationURLFromEnv: "AZP_URL"
    authenticationRef:
      name: pipeline-trigger-auth

And the keda-operator pod has the workload identity environment correctly injected.

[guidojw]

I see that support was added in #4867.
My configurations look similar, anyone have an idea of what is going wrong?

[guidojw]

Ah I see now, my AKS instance is kubernetes 1.28.9 which runs KEDA 2.11.2, gotta upgrade :)