Support multiple simultaneous service connections in ImageBuilder commands

[lbussell]

Background

In order to build images with internal versions of .NET, we need to access to two resources at once:

• Storage account containing internal .NET versions
• The staging container registry

This isn't normally a problem since we use service connections backed by managed identities. Managed identities can have access to more than one resource. However, this isn't the case if the two resources are in different Azure tenants. One managed identity can't have permission to resources across different tenants. So, this necessitates using multiple service connections.

Possible approach

We can do this using AzurePipelinesCredential. If the pipeline has authorization to multiple service connections, then AzurePipelinesCredential can use the System.AccessToken (from the pipeline) to get Credentials for a specific service connection by specifying the clientId and serviceConnectionId.

[lbussell]

[Triage] The first instance of this is in-progress here: #1719

[lbussell]

Completed with:

• Use Azure Pipelines Credential for authentication in ImageBuilder #1712
• Add internal build storage account options to Build command #1719