Reputation: 638
VSTS Build - Write access to Git repositories using personal access token (PAT)
I'm a bit confused about the best way to securely allow a VSTS build to have write access to a Git repository when SSO is involved.
I want a VSTS build task to use a limited scope PAT to push the files, rather than use the provided OAuth token $(System.AccessToken). I'm on the DevOps team and we want to be able to issue or revoke PATs as needed without involving the infrastructure team. The PATs will be stored securely as secrets and linked to the builds.
"Read" git commands work with this approach, but "write" commands on the build agent like this pop the SSO dialog.
git -c http.extraheader="AUTHORIZATION: bearer {MY_PAT}" push
Articles like vsts/git/set-up-credential-managers tell me that I need to store the credentials on the build agent using Git credential manager. But using this approach wouldn't I have to have access to the build server to store credentials for every PAT we maintain.
Articles like vsts/build-release/actions/scripts/git-commands suggest that I can give the Project Collection Build Service the "Branch" and "Contribute" permissions to a repository and turn on OAuth and then I don't need to authenticate at all. But isn't this a big security nightmare as you have now given any build in VSTS the ability to modify files in the repository you opened up?
This Stack Overflow post 44773415 tells me that I should be able to push my commit to the remote repo like this:
git push -q https://{MY_PAT}@my-org.visualstudio.com/path/to/my/_git master
None of these options have worked. All of them pop the SSO dialog on the build agent.
I have to be misunderstanding how this works. Admittedly, I haven't used git since around 2010 and we are migrating our code from TFS on prem to VSTS.
Can anyone shed further light on this? We are opening a ticket with Microsoft later today. If they can help us then I'll update this post.
Upvotes: 1
Views: 1453
Answers (2)
Reputation: 638
The solution for me was to have the admins install the credential manager on the build agent.
- I didn't realize it wasn't installed on the build agents. (Not my machine)
- I assumed that SSO would magically know about the PAT and that a Windows credential manager entry would not be needed. Not so.
Answering this question for anyone else who makes these invalid assumptions in their scenario.
Upvotes: -1
Reputation: 38136
Not install Git Credential Manager on your agent machine only cause the credentials won’t be stored, and you need to provide credentials for every time to connect with the remote repo in VSTS.
But there has the way to stop pop the SSO dialog (not authenticate by email address and password) by providing the PAT (authenticate by PAT), such as you can push change by the command:
git push https://Personal%20Access%20Token:[email protected]/project/_git/repo
#e.g. git push https://Personal%20Access%20Token:t03iai4yextum29xa6k5qbfl5jrvpt4zcaakafkhbhlpis7zknlq@marinaliu.visualstudio.com/Git2/_git/myrepo
Upvotes: 3
Related Questions
- Git repository permissions issue in Azure DevOps Pipeline
- How to authenticate git push to GitHub within an Azure Pipeline Bash task
- Azure Pipelines - authenticate git in powershell
- How do you pass build server credentials to access an Azure DevOps repo?
- VSTS step to pull from repo
- Git extensions with personal access token from visual studio online
- VSTS - Getting source code from GitHub via Personal Access Token
- Visual Studio Team Services - Git Repo credentials
- VSTS GIT - PR from master -> dev
- Git Repository Security in VS Team Services