Azure Artifacts Credential Provider Setup and Configuration Guide

To set up Azure Artifacts Credential Provider, you'll need to create a service principal in Azure Active Directory. This service principal will be used to authenticate with Azure Artifacts.

The service principal needs to have the necessary permissions to access Azure Artifacts. By default, the service principal will have the "Contributor" role, which grants it the necessary permissions.

You can configure Azure Artifacts Credential Provider to use a custom service principal or the default one. If you choose to use a custom service principal, you'll need to specify its client ID and client secret.

Azure Artifacts Credential Provider can be configured to use a managed identity, which eliminates the need for a client secret. This is a more secure option, especially if you're using Azure DevOps.

Curious to learn more? Check out: Default Azure Credential

To use the Azure Artifact Credential Provider, you'll need to add it to NuGet's plugin search path. This involves adding the provider to the plugin search path, which can be done manually or scripted.

Discover more: Identity Provider Azure

The Azure Artifact Credential Provider requires the netcore version of dotnet to be installed, as well as the netfx version of NuGet and MSBuild. This is a straightforward setup process that will get you started with using the provider.

If you're using Cargo, you'll need to set up a credential provider to use Azure Artifacts. This involves configuring a default credential helper for the current user, which can be done using the provided settings.

A fresh viewpoint: Provider Azure

To set up the Azure Artifact Credential Provider, you'll need to add it to NuGet's plugin search path.

You can do this using either manual or scripted instructions.

Make sure you have the netcore version of dotnet installed.

NuGet and MSBuild also require the netfx version to be installed.

This is a crucial step to ensure everything works smoothly.

When setting up Azure DevOps Pipelines, it's essential to use the NuGet Authenticate task before running NuGet, dotnet, or MSBuild commands that need authentication.

To ensure smooth execution, consider the order of tasks in your pipeline. Use the NuGet Authenticate task to authenticate your NuGet feed before running NuGet commands.

In Azure DevOps Pipelines, the NuGet Authenticate task is a crucial step to ensure secure access to your NuGet feed.

You can use the Azure Artifacts credential provider as an alternative to authenticating with Azure DevOps. This option is primarily geared toward running on build agents you host yourself, but you can possibly get it working on hosted agents.

The credential provider executable is available for download from the latest release. Make sure you get the version that will run on your build agent, not your development machine.

To use the credential provider, follow these steps:

The credential provider will use the environment variable $(System.AccessToken) for authentication. This is a predefined system variable in Azure DevOps build pipelines.

A unique perspective: Azure Devops Ticketing

You can use the Azure Artifacts Credential Provider with Azure DevOps Pipelines by running the NuGet Authenticate task before running NuGet, dotnet or MSBuild commands that need authentication.

To install the provider, you can define an environment variable, VSS_NUGET_EXTERNAL_FEED_ENDPOINTS, which is a JSON array of endpoints and their credentials. The access token should be a PAT for an Azure account that has permission to read and write to the feed.

See what others are reading: Azure Resource Providers

In some situations, it's sufficient to set the VSS_NUGET_EXTERNAL_FEED_ENDPOINTS variable on the local machine, but this won't work when using GitHub Action runners. Instead, you can pass the VSS variable directly to the credential provider through the workflow.

To do this, create an encrypted secret in your repository containing the Azure PAT and add the VSS_NUGET_EXTERNAL_FEED_ENDPOINTS variable to the workflow, replacing the password with a reference to the GitHub secret.

Here are the steps to follow:

If you're using a self-hosted machine, the runner service won't have access to environment variables, but can read cached credentials, which can cause strange behavior.

The Credential Provider accepts a set of environment variables, but not all of them are recommended for use in production.

Two environment variables are considered safe: NUGET_CREDENTIALPROVIDER_SESSIONTOKENCACHE_ENABLED and VSS_NUGET_EXTERNAL_FEED_ENDPOINTS.

NUGET_CREDENTIALPROVIDER_SESSIONTOKENCACHE_ENABLED controls whether or not the session token is saved to disk. If false, the Credential Provider will prompt for auth every time.

VSS_NUGET_EXTERNAL_FEED_ENDPOINTS is a Json that contains an array of service endpoints, usernames, and access tokens to authenticate endpoints in nuget.config.

Here are the details of the VSS_NUGET_EXTERNAL_FEED_ENDPOINTS environment variable:

ARTIFACTS_CREDENTIALPROVIDER_FEED_ENDPOINTS is another Json that contains an array of endpoints, usernames, and azure service principal information needed to authenticate to Azure Artifacts feed endponts.

Here are the details of the ARTIFACTS_CREDENTIALPROVIDER_FEED_ENDPOINTS environment variable:

Troubleshooting and Error Handling can be a real challenge, especially when working with the Azure Artifacts Credential Provider.

To get better error logs from the cred provider, try running the nuget.exe or dotnet command with detailed verbosity. This can give you more cred provider logs that may help with debugging.

One key command to remember is nuget.exe -verbosity detailed. Using this command can provide you with more detailed logs.

The dotnet command also has a verbosity option, which can be used to get more cred provider logs. Simply run dotnet --verbosity detailed to see the additional logs.

Running these commands can help you identify and fix issues with the Azure Artifacts Credential Provider.

Recommended read: Azure Devops Pipeline Publish Artifacts

We're planning to release version 2.0.0 of the Azure Artifacts Credential Provider in Q1 2025.

This release will end support for various .NET versions that have reached their end of support, specifically .NET Framework 4.6.1 and .NET Core 3.1. They will be replaced with .NET Framework 4.8.1 and .NET 6/8 respectively.

The new version will allow users to migrate their usage of the tool to the new .NET versions.

Here are the .NET versions that will be replaced:

Note that .NET 6 will reach its end of support on November 12, 2024, and will be replaced with .NET 8 after the release of v2.0.0.

Release Version 2.0.0 will be the next major version of artifacts-credprovider, containing changes that end support for various .NET versions that have reached their end of support.

It's planned for release in Q1 2025 to allow users to migrate their usage of the tool to the new .NET versions.

A different take: Git Credential Support Azure Git

The following .NET versions will be replaced:

.NET Framework 4.6.1, which reached its end of support on April 26, 2022, will be replaced with .NET Framework 4.8.1.

.NET Core 3.1, which reached its end of support on December 13, 2022, will be replaced with .NET 6/8.

Here's a summary of the replaced .NET versions:

After v2.0.0 is released, a minor version of artifacts-credprovider will be published to deprecate .NET 6 compatible binaries.

To restore and push NuGet packages, you can use the NuGetAuthenticate task without specifying any inputs if all Azure Artifacts feeds are in the same organization as your pipeline.

If your project scoped feeds are in a different project than where the pipeline is running, you must manually give the project and the feed access to the pipeline's project's build service.

You can use a service connection by specifying it in the nuGetServiceConnections input for the NuGet Authenticate task.

Reference the service connection with -ApiKey AzureArtifacts in a task.

Readers also liked: Azure Kubernetes Service vs Azure Container Apps

The Azure Artifacts Credential Provider is a viable option for authenticating with NuGet feeds. You can download the latest release of the credential provider, which should be compatible with your build agent, not your development machine.

To use the credential provider, you'll need to extract the self-contained executable version from the archive you downloaded. This executable should be placed in a separate build folder within your source code.

As part of your build pipeline, you'll need to configure the VSS_NUGET_EXTERNAL_FEED_ENDPOINTS environment variable. Specifically, you'll need to use the $(System.AccessToken) variable, which is a predefined system variable in Azure DevOps build pipelines.

Here are the general steps to follow:

Keep in mind that the username "vsts" isn't special; it can be any value you want, and the endpoint won't actually check it.