Is it possible to have a service principal account trigger a build pipeline? I have a CMS that whenever a document is published it fires of an event/webhook that's calls an Azure Function. The function then calls Azure DevOps using the API to trigger the correct build pipeline. Up until now we have relied on personal access tokens (PAT) from a "lucky" team member, but obviously that isn't an ideal solution. If the PAT expires or the team member leaves our pipeline breaks down. I was hoping to use the PAT Lifecycle Management API* to generate a PAT on the fly, but as the documentation states; "On-behalf-of application" solutions (such as the “client credential” flow) and any authentication flow that does not issue an Azure AD access token is not valid for use with this API".
This seems like a fairly common scenario, having an external dependency kicking of a build pipleline, so how should I go about doing this without using person-dependent tokens?
https://learn.microsoft.com/nb-no/azure/devops/organizations/accounts/manage-personal-access-tokens-via-api?view=azure-devops
Externally trigger an Azure DevOps Build using a Sevice Principal account
I am afraid it it impossible to use REST API to trigger an Azure DevOps Build using a Sevice Principal account.
That because the Azure DevOps API doesn't support non-interactive service access via service principals.
You could get the info from the document Choose the right authentication mechanism:
Related
i am implementing CI/CD pipeline that needs to register an AAD Application with permissions to read/write into Site collections, this would mean that the pipeline itself need to have permission to 'Sites.FullControl.All'. I want to understand from the security perspective, if this is desirable, i.e., a pipeline having FullControl access to a SharePoint tenant. What are the recommended practices w.r.t. this, will the application registration in such scenarios be manually done by Ops team?
According to your description, it seems that you want to use the service connection in the Azure CI/CD pipeline.
We can create a service connection with Service principal (automatic) or Service principal (manual).
Use the following parameters to define and secure a connection to a Microsoft Azure subscription using Service Principal Authentication (SPA) or an Azure managed Service Identity.
Automated subscription detection. In this mode, Azure Pipelines
queries Azure for all of the subscriptions and instances to which you
have access. They use the credentials you're currently signed in with
in Azure Pipelines (including Microsoft accounts and School or Work
accounts).
If you don't see the subscription you want to use, sign out of Azure Pipelines and sign in again using the appropriate account credentials.
Manual subscription pipeline. In this mode, you must specify the
service principal you want to use to connect to Azure. The service
principal specifies the resources and the access levels that are
available over the connection.
For more information, you could refer to Azure Resource Manager service connection.
we use a devops artifact feed to store our packed/shaded java binaries inside a private project. Now we would like to allow access to certain artifacts for externals.
We will promote these artifacts to a custom view (#public-releases) and want to allow access to this view for certain customers only (s.t. they can use it in their automation).
Is it possible to have some kind of service-account/service-principal to assign read-permissions in devops?
I know it the other way round (give devops access to azure ressources via service connections), but now I want to permit access to Devops Feeds.
How would I create such a User? We have azure AD connected, so maybe that is an option?
Is it possible to have some kind of service-account/service-principal
to assign read-permissions in devops?
No, no such design.
Service principal of Azure Active Directory concept can not be managed as an account in DevOps side(DevOps doesn't have such account type, only internal service principal, no AAD service principal).
As you know, service principal of AAD can manage access to services in azure portal. This is the usual usage. Another usage is Authenticate with Azure Active Directory (Azure AD) tokens, this approach can be used to manage PAT of DevOps, but anyway you end up needing to access the feed based on a legitimate account under the DevOps concept.
I am fairly new to Azure Devops and Azure Databricks.
I have created Azure Databricks workspace using Azure Devops CI/CD Pipeline.
Now I am looking for a solution to Add Users to Azure Databricks workspace using DevOps Pipeline.
There are several methods:
Use databricks_user resource from Databricks Terraform provider - it could be as simple as example below, or you can combine it with azuread provider, and pull users from Azure Active Directory. Another advantage of Terraform provider is that you can combine it with user groups, and other things.
resource "databricks_user" "me" {
user_name = "me#example.com"
}
Use Databricks SCIM API for Users (part of general SCIM API) - creation is quite straightforward, you just need to form correct JSON as described in docs (I didn't want to copy JSON from there), and do a call with curl or something like that. Also,
There is a collection of PowerShell scripts developed by the DataThirst company, that include scripts for adding & removing users, etc. These scripts are using REST API under the hood, and could be simpler than to use REST API. Some of these tasks are also available on the DevOps marketplace.
In any case, you need to authenticate to the workspace. For automated pipelines you have two choices - service principals or managed identity associated with DevOps worker, and they should have Owner or Contributor permissions on the workspace level, or be added into workspace as admin users.
For REST API authentication of service principal is described in details in documentation, for managed identity you just get the token from internal REST API.
Databricks Terraform provider also supports both service principals and managed identity.
I'm developing an extension that runs within a work item.
Is there a way I can acquire an AAD token for the current logged in user, which can be used to authenticate to an AAD protected backend service like Azure App Service/Key Vault etc?
I'm afraid you can't do that directly. Azure Devops Service and Azure are not the same things.
We can use VSS SDK and azure-devops-extension-api to get Azure-devops related info(AccessToken for Azure Devops Service,Org info, Project info, User info), but we can't get AAD token using these related api cause these apis are for Azure Devops Service.
looking at "Authorize access to REST APIs with OAuth 2.0" at https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops
An Azure DevOps organization is connected to an Azure Active Directory tenant
-> let's call it 'devops-ad-tenant'.
A user has an Active Directory Home Tenant
-> let's call it 'user-ad-home-tenant'.
A user can be a guest user withing another Active Directory Tenant
-> let's call it 'user-ad-guest-tenant'.
If the 'devops-ad-tenant' is equal to the 'user-ad-home-tenant', everything works out fine.
If the 'devops-ad-tenant' is equal to the 'user-ad-guest-tenant', the OAuth flow succeeds, but the flow happens within the context of the 'user-ad-home-tenant' and this user is from a Azure DevOps perspective not the user from 'user-ad-guest-tenant'.
I am having trouble to use something like a "domain_hint" when initiating the OAuth flow.
Any thoughts?
This behavior of get the token is used for the home directory is by design since the customer may be as guest for multiple Azure Active Directories. And as the document you shared for the Azure DevOps OAuth authentication, currently there is no such option to choose which directory for the usage of token acquired.
If you want Azure DevOps support this feature, you can submit the feedback from Develop Community - Azure DevOps.
I managed to get along with a work around...
My application uses an Azure AD multi-tenant appRegistration for authentication.
When the user logs in at my application, the OAuth flow for Azure DevOps is started.
To set the Azure AD tenant for the OAuth flow for the Azure DevOps organization
use a clean browser session, no cookies etc.
log into https://aex.dev.azure.com and select the Azure AD tenant 'user-ad-guest-tenant' for Azure DevOps organization
duplicate that tab
enter the url for my application
the OAuth flow happens within the context of 'user-ad-guest-tenant'
this is really inconvenient... but a work around... besides I am still investigating why this is working...