I am logging into az cli using correct token:
echo my_pat | az devops login
But I see the following error while getting the existing repositories in a project:
az repos list --org {ado_org_url} --project {ado_project} --query '[*].name'
ERROR: The requested resource requires user authentication: https://dev.azure.com/my_org/my_project/\_apis/git/repositories
Am I missing any settings while setting up my pat? How can I get rid of this error?
You don't want to use the az devops login if you already set an AZURE_DEVOPS_EXT_PAT Environment Variable. If you not set an AZURE_DEVOPS_EXT_PAT Environment Variable set it first and do your CLI Task.
The az devops commands now enable sign-in with az login, you don't need to give a token if you've already signed in with az login interactively or with a username and password. However, you can't use az login to log in as the service principal. A PAT is required in that case.
If you still need to log in by using az devops login it requires the User Authentication. For that, you have to login using Service Principle
"user": {
"name": "***",
"type": "servicePrincipal"
}
References
How to securely login in Az CLI from a DevOps Pipeline
Fix ERROR: The requested resource requires User Authentication
MSDOC for Azure DevOps CLI sign in with a PAT
Related
I need to add Azure DevOps repos to azure databricks repo by using databricks API at this link. I am using a service principal credentials for this. The service principal is already added as admin user to databricks. With my service principal I can get the list of repos and even delete them. But when I want to add a repo to a folder, it raises the following error:
{
"error_code": "PERMISSION_DENIED",
"message": "Missing Git provider credentials. Go to User Settings > Git Integration to add your personal access token."
}
I am not using my own credentials to use a PAT token, instead I am getting a bearer token by sending request to https://login.microsoftonline.com/directory-id/oauth2/token and use it to authenticate. This works for get repos, delete repos and get repos/repo-id. Just for creating a repo (adding repo by using post method to /repos) it is failing.
If I still use a PAT instead of bearer token, I get the following error:
{
"error_code": "PERMISSION_DENIED",
"message": "Azure Active Directory credentials missing. Ensure you are either logged in with your Azure
Active Directory account or have setup an Azure DevOps personal access token (PAT) in User Settings > Git Integration.
If you are not using a PAT and are using Azure DevOps with the Repos API, you must use an AAD access token. See https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/app-aad-token for steps to acquire an AAD access token."
}
I am using postman to construct the requests. To generate the error I am getting I am using the following:
method: post
url-endpoint: https://adb-databricksid.azuredatabricks.net/api/2.0/repos
body:
url: azure-devops-repo
provider: azureDevOpsServices
path: /Repos/folder-name/testrepo
header:
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbG... (Construct it by appending bearer token to key wor "Bearer")
X-Databricks-Azure-SP-Management-Token: management token (get it like bearer token by using resource https://management.core.windows.net/)
X-Databricks-Azure-Workspace-Resource-Id: /subscriptions/azure-subscription-id/resourceGroups/resourcegroup-name/providers/Microsoft.Databricks/workspaces/workspace-name
Here the screen shot of the postman:
Please note that I have used exactly same method of authentication for even creating clusters and jobs and deleting repos. Just for adding and updating repos it is failing. I'd like to know how I can resolve the error PERMISSION_DENIED mentioned above.
To make service principal working with Databricks Repos you need following:
Create an Azure DevOps personal access token (PAT) for it - Azure DevOps Git repositories don't support service principals authentication via AAD tokens (see documentation). (The service connection for SP that you configured is used for connection to other Azure services, not to the DevOps itself).
That PAT needs to be put into Databricks workspace using Git Credentials API - it should be done when configuring first time or when token is expired. When using this API you need to use AAD token of the service principal. (btw, it could be done via Terraform as well)
After it's done, you can use Databricks Repos APIs or databricks-cli to perform operations with Repos - create/update/delete them. (see previous answer on updating the repo)
Have you setup the git credentials using this endpoint before creating the repo through the APIĀ ?
https://docs.databricks.com/dev-tools/api/latest/gitcredentials.html#section/Authentication
If you do not setup this first, you can get the error when trying to create a repo.
Listing & deleting a repo only require a valid authentication to Databricks (Bearer token or PAT) and doesn't require valid git credentials.
When trying to create a repo, you need authorizations on the target repository that is on Azure Devops in your case.
So you need to call the git-credentials endpoint (it's the same syntax on AWS and Azure) to create it.
Once your git credentials up-to-date, the creation of the repo should work as intended.
I am trying to use az devops security group membership list --id descriptor.
When I am using this cli I am getting the below error for one of my descriptor:
ERROR: TF400049: The request was aborted because it contained too many requested items 800, maximum allowed is 500.
I checked for continuation token as well but it seems like this cli doesnot support the continuation token.
Azure devops cli : az devops security group membership list
According to the document az devops security group membership list:
Optional Parameters:
--detect
--org --organization
--relationship
--subscription
--debug
--help -h
--only-show-errors
--output -o
--query
--verbose
There is no such parameter to allow us to list all the users. You could add the user voice on the Github https://github.com/Azure/azure-cli.
Or you could try to use the REST API with continuation token to get all the users:
Memberships - List
You should be able to use a JMESQuery with --query to selectively get the results.
I am using ChainedTokenCredential and trying to get managed identity token in local debug environment using Visual Studio 2019. In windows terminal I already logged in using Azure CLI az login.
var credential = new ChainedTokenCredential(
new ManagedIdentityCredential(),
new AzureCliCredential());
var token = await credential .GetTokenAsync(new TokenRequestContext(new[] { _configuration.GetSection("scope").Value }));
When I am running code in debug I am seeing below error,
The ChainedTokenCredential failed to retrieve a token from the included credentials.
ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
Please run 'az login' to set up account
Where I need to do az login? Thanks.
Execute az logout first and try again az login and I suggest to set default subscription by executing az account set -s "Subscription ID"
I am using azure devops to host an authenticated NPM feed. I would like to generate a token to access that feed using the CLI. The instructions on azure devops involve going through the web interface to generate a personal access token (PAT), then base64-ing that token, and adding it to the .npmrc. If I do that, I'm able to run npm install against that feed without issue.
In the CLI, I've tried using az account get-access-token, grabbing that token, and encoding it. But that seems to fail, and I guess that makes sense because it is a token for azure itself, not azure devops.
Does anyone have any guidance on how this could be done? Am I stuck doing it manually?
az account get-access-token get a token for utilities to access Azure.
It's not Azure DevOps.
We also have an az devops CLI command. But we could not be able to get/create a token through this. Neither does Rest API.
You'll have to manually create the PAT token from web interface in your Azure DevOps Organization.
az devops login --organization https://dev.azure.com/XXXX
token
able to login
AZ Login - Successfully connected to Azure
Try to run
az devops project list
TF400813: The user '1a6dbb80-5290-4fd1-a938-0ad7795dfd7a\xx.yyyy#abc.com' is not authorized to access this resource.
I have full access to this organisation,still not able to access
Here's a similar thread: TF400813: The user 'Guid\FirstName#c.com' is not authorized to access this resource
Please make sure the organization is connected to AAD and your account is one of the users in this AAD.
Also try to use a microsoft email address instead of XXXX#abc.com see if you can get authorized.