Reputation: 947
Use Azure AD Managed Identity/Service Principal user in ADO to use ADO API
I was following this guide https://learn.microsoft.com/en-us/azure/devops/repos/git/create-pr-status-server-with-azure-functions?view=azure-devops to create a custom branch policy. The gist of the article is: when an ADO PR is created or updated, the following happens:
- ADO invokes an Azure Functions webhook
- Azure Functions execute some custom branch policy logic (e.g. adds custom status to the PR).
Azure functions use Personal Access Token to authenticate with ADO to post a custom status. Two things I don't like about this approach:
- PAT's max life span is 2 years. After 2 years you need to update your PAT token - easy to forget, extra effort to automate.
- PAT is issued by a user. I'd like to have a separate "system" user for the custom branch policy. I don't want to reuse an "alive" user (people tend to quit) nor I want to create a "fake" live user for this purpose (company's security policies implications).
So, I wonder if there is a way to use Azure Functions Managed Identity/Service Principal directly in ADO: give ADO permissions to the managed identity and use Azure AD token to authenticate user in ADO API.
I know that you can set up your ADO organization to user Azure AD users. This is how my organization is set up currently:
All "alive" users are shown but I don't see any Managed Identities/Service Principals. It looks like only users are synchronized with ADO.
Upvotes: 1
Views: 1323
Answers (2)
Reputation: 372
Using Managed Identity is possible now
With python, you can do something like this:
from azure.identity import DefaultAzureCredential
from msrest.authentication import BasicAuthentication
from azure.devops.connection import Connection
credentials = DefaultAzureCredential()
ADO_APP_CLIENT_ID = "499b84ac-1321-427f-aa17-267ca6975798/.default"
accessToken = credentials.get_token(ADO_APP_CLIENT_ID)
auth = BasicAuthentication("", accessToken.token)
azure_devops_connection = Connection(base_url="<ado org url>", creds=auth)
... do whatever you want
azure_devops_client = azure_devops_connection.clients.get_git_client()
using DefaultAzureCredential you can connect using managed identity, service principle, az cli and more see docs for available env var configuration.
Upvotes: 1
Related Questions
- Can I assign API permissions to User Assigned Managed Identities?
- Accessing Azure AD using a Managed Identity
- Run Azure devops pipeline as a azure AD user user
- How can I use Azure AD to authenticate for Azure .net API calls?
- Add an Azure AD user to a Azure DevOps project group using Azure Logic Apps
- Developer support with Managed Identity for Custom API in Azure AD
- Use Azure AD token to authenticate with Azure DevOps
- Can I add Managed Identity to my ADO pipeline?
- How to add Azure AD user to Azure DevOps organisation programmatically
- How to properly authorize Azure user account so that it can create a Service Principal?