I am using azure devops to host an authenticated NPM feed. I would like to generate a token to access that feed using the CLI. The instructions on azure devops involve going through the web interface to generate a personal access token (PAT), then base64-ing that token, and adding it to the .npmrc. If I do that, I'm able to run npm install against that feed without issue.
In the CLI, I've tried using az account get-access-token, grabbing that token, and encoding it. But that seems to fail, and I guess that makes sense because it is a token for azure itself, not azure devops.
Does anyone have any guidance on how this could be done? Am I stuck doing it manually?
az account get-access-token get a token for utilities to access Azure.
It's not Azure DevOps.
We also have an az devops CLI command. But we could not be able to get/create a token through this. Neither does Rest API.
You'll have to manually create the PAT token from web interface in your Azure DevOps Organization.
Related
I have an Azure DevOps server on-premises and I have written a small application that simply queries its API to get information from the Azure server. There is no authentication at the user level, since the application only displays information and does not POST/PUT/DELETE.
To query the API, I have used my PAT (personal access token), but this is not ideal. I have read that on the cloud version of Azure, you can just register the application to do it, but I have not found the same functionality for the on-premises version.
Am I missing something? Is the only alternative creating a technical user on the LDAP and get a PAT for it?
Is the only alternative creating a technical user on the LDAP and get
a PAT for it?
Yes, you are right.
Authorize access to REST APIs with OAuth 2.0
So 'App auth' is only supported in Azure DevOps Services (VSTS), not supported in Azure DevOps server (TFS).
I need to add Azure DevOps repos to azure databricks repo by using databricks API at this link. I am using a service principal credentials for this. The service principal is already added as admin user to databricks. With my service principal I can get the list of repos and even delete them. But when I want to add a repo to a folder, it raises the following error:
{
"error_code": "PERMISSION_DENIED",
"message": "Missing Git provider credentials. Go to User Settings > Git Integration to add your personal access token."
}
I am not using my own credentials to use a PAT token, instead I am getting a bearer token by sending request to https://login.microsoftonline.com/directory-id/oauth2/token and use it to authenticate. This works for get repos, delete repos and get repos/repo-id. Just for creating a repo (adding repo by using post method to /repos) it is failing.
If I still use a PAT instead of bearer token, I get the following error:
{
"error_code": "PERMISSION_DENIED",
"message": "Azure Active Directory credentials missing. Ensure you are either logged in with your Azure
Active Directory account or have setup an Azure DevOps personal access token (PAT) in User Settings > Git Integration.
If you are not using a PAT and are using Azure DevOps with the Repos API, you must use an AAD access token. See https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/app-aad-token for steps to acquire an AAD access token."
}
I am using postman to construct the requests. To generate the error I am getting I am using the following:
method: post
url-endpoint: https://adb-databricksid.azuredatabricks.net/api/2.0/repos
body:
url: azure-devops-repo
provider: azureDevOpsServices
path: /Repos/folder-name/testrepo
header:
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbG... (Construct it by appending bearer token to key wor "Bearer")
X-Databricks-Azure-SP-Management-Token: management token (get it like bearer token by using resource https://management.core.windows.net/)
X-Databricks-Azure-Workspace-Resource-Id: /subscriptions/azure-subscription-id/resourceGroups/resourcegroup-name/providers/Microsoft.Databricks/workspaces/workspace-name
Here the screen shot of the postman:
Please note that I have used exactly same method of authentication for even creating clusters and jobs and deleting repos. Just for adding and updating repos it is failing. I'd like to know how I can resolve the error PERMISSION_DENIED mentioned above.
To make service principal working with Databricks Repos you need following:
Create an Azure DevOps personal access token (PAT) for it - Azure DevOps Git repositories don't support service principals authentication via AAD tokens (see documentation). (The service connection for SP that you configured is used for connection to other Azure services, not to the DevOps itself).
That PAT needs to be put into Databricks workspace using Git Credentials API - it should be done when configuring first time or when token is expired. When using this API you need to use AAD token of the service principal. (btw, it could be done via Terraform as well)
After it's done, you can use Databricks Repos APIs or databricks-cli to perform operations with Repos - create/update/delete them. (see previous answer on updating the repo)
Have you setup the git credentials using this endpoint before creating the repo through the API ?
https://docs.databricks.com/dev-tools/api/latest/gitcredentials.html#section/Authentication
If you do not setup this first, you can get the error when trying to create a repo.
Listing & deleting a repo only require a valid authentication to Databricks (Bearer token or PAT) and doesn't require valid git credentials.
When trying to create a repo, you need authorizations on the target repository that is on Azure Devops in your case.
So you need to call the git-credentials endpoint (it's the same syntax on AWS and Azure) to create it.
Once your git credentials up-to-date, the creation of the repo should work as intended.
Is it possible to have a service principal account trigger a build pipeline? I have a CMS that whenever a document is published it fires of an event/webhook that's calls an Azure Function. The function then calls Azure DevOps using the API to trigger the correct build pipeline. Up until now we have relied on personal access tokens (PAT) from a "lucky" team member, but obviously that isn't an ideal solution. If the PAT expires or the team member leaves our pipeline breaks down. I was hoping to use the PAT Lifecycle Management API* to generate a PAT on the fly, but as the documentation states; "On-behalf-of application" solutions (such as the “client credential” flow) and any authentication flow that does not issue an Azure AD access token is not valid for use with this API".
This seems like a fairly common scenario, having an external dependency kicking of a build pipleline, so how should I go about doing this without using person-dependent tokens?
https://learn.microsoft.com/nb-no/azure/devops/organizations/accounts/manage-personal-access-tokens-via-api?view=azure-devops
Externally trigger an Azure DevOps Build using a Sevice Principal account
I am afraid it it impossible to use REST API to trigger an Azure DevOps Build using a Sevice Principal account.
That because the Azure DevOps API doesn't support non-interactive service access via service principals.
You could get the info from the document Choose the right authentication mechanism:
I'm developing an extension that runs within a work item.
Is there a way I can acquire an AAD token for the current logged in user, which can be used to authenticate to an AAD protected backend service like Azure App Service/Key Vault etc?
I'm afraid you can't do that directly. Azure Devops Service and Azure are not the same things.
We can use VSS SDK and azure-devops-extension-api to get Azure-devops related info(AccessToken for Azure Devops Service,Org info, Project info, User info), but we can't get AAD token using these related api cause these apis are for Azure Devops Service.
The Azure CLI with the Azure DevOps extension has replaced the VSTS CLI. But I can't find any sample on how to connect to Team Foundation Server (TFS) or Azure DevOps Server using Azure CLI with Azure DevOps extension.
I tried to create a PAT on my Azure DevOps Server with all scope permission. Then I use the following command to login:
az devops login --organization https://vm-dev-cgudevops/DefaultCollection --verbose
Here is what I've got:
C:\>az devops login --organization https://vm-dev-cgudevops/DefaultCollection --verbose
Token:
Creating connection with personal access token.
Failed to authenticate using the supplied token.
Suppress exception There are no active accounts.
Suppress exception Please run 'az login' to setup account.
command ran in 25.138 seconds.
The token can't be wrong. I don't know what's going on.
At present Azure DevOps CLI is not supported for Azure DevOps server. This is fundamentally due to API versioning as Azure DevOps Server runs on a particular version but the CLI client consistently updates to the latest version. Therefore, ideally if you are using the latest version of Azure DevOps Server, then the CLI should work for you as both are using the same API versions.
Have a look at the docs available at - https://learn.microsoft.com/en-us/azure/devops/cli/index?view=azure-devops
Azure Cli support login your private TFS currently, see: https://learn.microsoft.com/en-us/azure/devops/cli/log-in-via-pat?view=azure-devops&tabs=windows
Create PAT
Login with PAT, eg. cat PAT.txt|az devops login --organization http://your_tfs_url
There is an extension in Azure DevOps that let's you mange the Azure DevOps from Azure CLI.
As mentioned in the extension you have to :
Install the Azure CLI. You must have at least v2.0.49, which you can
verify with az --version command.
Add the Azure DevOps Extension az extension add --name azure-devops
Run the az login command.
You can also find a sample for it here.
Read this article if you need more information about how to get started with it.
Add /tfs/DefaultCollection to URL. That did the trick for me.