Reputation: 67
Authenticate with Azure DevOps using Managed Identity (MI)
I am using a Linux self-hosted VM agent with the relevant tools installed to run PowerShell and Az commands.
- This VM has a user-assigned managed identity added.
- The MI has been added as a user to my ADO organisation.
- The MI has administrator rights to my ADO project.
- Az login has been run against the VM, to authenticate into Azure with the MI.
I would like to authenticate to Azure DevOps using the access token from the managed identity rather than using a personal access token. After authenticating, I would like to use the az devops and az repos commands, to automatically control ADO.
Previously, I exported a variable $env:AZURE_DEVOPS_EXT_PAT and used my PAT token, which worked fine. However, when using the same variable and pointing it to the access token variable for the MI. It fails...
This is my current command:
$accessToken = az account get-access-token --resource $mi_client_id --query "accessToken" --output tsv
$env:AZURE_DEVOPS_EXT_PAT = $accessToken
I have also tried these variations.
$accessToken = az account get-access-token --resource $mi_client_id --query "accessToken" --output tsv
write-host $accessToken | az devops login --organization $ado_org_name
The error I get is:
Failed to authenticate using the supplied token.
I have also tried to solve this issue by setting $accesstoken to become a bearer token. It is still the same.
Another way I have attempted, is to output the $accesstoken value to a txt file and run get-content before the az devops login pipe.
Following the details from here, this should be achievable in some way shape or form... Use Azure Active Directory service principals & managed identities
I know the ADO REST API can be used and to put the access token into a JSON header for authorisation. But this will not allow the az commands to work. How can I fix it?
Upvotes: 0
Views: 2720
Answers (1)
Reputation: 460
Well, you know that already: I recommend testing the ADO REST API first and then go back to the CLI extension if needed.
They wrap all tokens as Basic authentication: azure-devops-cli-extension/azure-devops/azext_devops/dev/common
And other parts of the code with similar code constructs.
To authenticate OAuth tokens, you need to use a Bearer token that is (AFAIK) unsupported by the CLI extension: Authorize access to REST APIs with OAuth 2.0, 4. Use the access token
The quality of the extension authentication parts is really low and the team developing extension is unresponsive. Thus, I recommend creating a support ticket through the official paid channels.
Upvotes: 1
Related Questions
- Use Azure AD Managed Identity/Service Principal user in ADO to use ADO API
- Azure DevOps CLI login ERROR: Failed to authenticate using the supplied token
- Logic App to Azure DevOps REST API with Managed Identity
- Use managed identities in Azure DevOps build pipeline
- Azure Storage Account authenticate using Managed Identity and C#
- Using Managed Identity in Azure Pipelines: GetUserAccessToken: Failed to obtain an access token of identity. AAD returned silent failure
- Authenticate to Azure DevOps without user's DevOps PAT
- how to authenticate to azure devops api with out using username or password or PAT tokken
- Can vsts agent connect to ADO using managed identity?
- User Managed Identity - how to authenticate using c#