Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the best way to login to the Azure Devops CLI from a Release Pipeline?

Tags:

command-line-interface

oauth

azure-devops

I am using the Azure Devops CLI on one of my pipelines. In order to use the CLI I need first login (authenticate). Unlike using the REST API, I can't use the OAuth token that is available to me.

So here's my understanding of my options:

  1. I can do an "az login" using a PAT that I map to this environment variable:

AZURE_DEVOPS_EXT_PAT

THIS IS THE WAY I'm doing it now.

  1. Apparently you can use a Service Principal. I like this the most because I should theoretically be able to have this principal apply to everyone on my team. Is that correct?

  2. Use "az login" with a user/password. This is least desirable way to doing it because it involves passing around credentials. Too messy.

  3. Although my pipeline has the OAuth token expost (System.AccessToken), it cannot be use by the CLI. For example is I try to assign the value of the OAuth token to the AZURE_DEVOPS_EXT_PAT it fails (AZURE_DEVOPS_EXT_PAT=$System.AccessToken).

Questions:

  1. Is it possible to use the OAuth token to log in to the CLI?

  2. Is the Service Principal the best way to go?

Additional Info:

I do not have subscriptions only a tenant-id, we're not creating any Azure resources, we're an AWS shop that happens to be using ADO only for CICD.

like image 333
KSS Avatar asked Oct 20 '25 02:10

KSS

1 Answers

Use az devops login instead of az login

From your pipeline use:

- script: echo $(AccessToken) | az devops login
  env:
    AccessToken: $(System.AccessToken)

Few interesting notes:

  • Secrets (like System.AccessToken) are available to scripts unless you pass them in explicitly as environment variables
  • the System.AccessToken variable is the default access token of the build agent
  • there is a project-specific build agent and a project-collection build agent. The one you use is actually controlled by the 'limit access to current project scope' flag in the Pipeline settings for the project.
  • you may need to elevate permissions for the build agent if you're trying to manipulate objects. For example, you could grant the Create Tag permission on a repository if you wanted the build agent to update the repository.
  • you can also create your own PAT token with permissions that you specify.
like image 126
bryanbcook Avatar answered Oct 22 '25 04:10

bryanbcook
Sign in to Comment

Related questions

How to get the Authorization Bearer header?
My web app needs multiple OAuth consent screen. Do I have to create another project to create another consent screen?
Is there a way to add a realm level protocol mapper in keycloak?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!