I am using a Linux self hosted VM agent with the relevant tools installed to run powershell and Az commands.
- This VM has an user assigned managed identity added.
- The MI has been added as a user to my ADO organisation.
- The MI has admin rights to my ADO project.
- Az login has been run against the VM, to authenticate into Azure with the MI.
I would like to authenticate to Azure DevOps using the access token from the managed identity rather than using a personal access token. After authenticating, I would like to use the az devops and az repos commands, to automatically control ADO.
Previously, I exported a variable $env:AZURE_DEVOPS_EXT_PAT and used my PAT token, which worked fine. However, when using the the same variable and pointing it to the access token variable for the MI. It fails…
This is my current command:
$accessToken = az account get-access-token --resource $mi_client_id --query "accessToken" --output tsv
$env:AZURE_DEVOPS_EXT_PAT = $accessToken
I have also tried these variations.
$accessToken = az account get-access-token --resource $mi_client_id --query "accessToken" --output tsv
write-host $accessToken | az devops login --organization $ado_org_name
The error I get is:
Failed to authenticate using the supplied token.
I have also tried to solve this issue by setting $accesstoken to become a bearer token. Still the same.
Another way I have attempted, is to output the $accesstoken value to a txt file and run get-content before the az devops login pipe.
Following the details from here, this should be achievable in some way shape or form…
https://learn.microsoft.com/en-gb/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops
I know the ADO RESTAPI can be used and to put the access token into a json header for authorisation. But this will not allow the az commands to work. Any help would be appreciated.
2
Answers
Try to obtain the access token for the managed identity (MI) using the az account get-access-token command:
powershell
Copy code
$mi_client_id = "<managed_identity_client_id>"
$resource = "499b84ac-1321-427f-aa17-267ca6975798" # Azure DevOps resource ID
$accessToken = az account get-access-token –resource $resource –query "accessToken" –output tsv
Set the AZURE_DEVOPS_EXT_PAT environment variable to the obtained access token:
powershell
Copy code
$env:AZURE_DEVOPS_EXT_PAT = $accessToken
Use the az devops login command to authenticate to Azure DevOps:
powershell
Copy code
az devops login –organization "https://dev.azure.com/"
Note: Replace with the name or URL of your Azure DevOps organization.
After successfully logging in, you can use the az devops and az repos commands to interact with Azure DevOps.
Make sure you have the necessary permissions for the managed identity to access the Azure DevOps organization and perform the required actions.
If you encounter any issues or errors during this process, please provide the specific error message so that I can assist you.
Well, you know that already: I recommend testing ADO REST API first and then go back to CLI extension if needed.
They wrap all token as Basic auth: https://github.com/Azure/azure-devops-cli-extension/blob/bd34a6fd0658a15dadf6c09c7f6217ca5ffa662b/azure-devops/azext_devops/dev/common/services.py#L63 and other parts of the code with similar code constructs.
To authenticate OAUTH tokens you need to use Bearer token that is (AFAIK) unsupported by CLI extension: https://learn.microsoft.com/en-gb/azure/devops/integrate/get-started/authentication/oauth?toc=%2Fazure%2Fdevops%2Fmarketplace-extensibility%2Ftoc.json&view=azure-devops#4-use-the-access-token
The quality of the extension authentication parts is really low and team developing extension is unresponsive. => I recommend creating support ticket through official paid channels.