To set up Azure Git Config Token, you need to create a service principal in Azure Active Directory (AAD). This is a required step for authenticating with Azure services.
A service principal is a special identity that can be used to authenticate and authorize access to Azure resources. It's a crucial component in the Azure Git Config Token setup process.
To create a service principal, you'll need to register an application in the Azure portal. This involves providing some basic information about your application, such as its name and redirect URI.
Azure DevOps
Azure DevOps provides a secure way to access your git repositories without using your username or password directly. You can create a personal access token (PAT) to control how a service user accesses specific resources.
To create a PAT in Azure DevOps, click the user settings icon on the top right corner of the page and then click Personal access tokens. You will be taken to the Personal Access Tokens configuration page.
You can choose from two scopes: Code (read) and Code (read and write). Code (read) allows viewing commits and smart commits, as well as browsing repositories, while Code (read and write) includes all of those functions plus the ability to create branches and pull requests.
Here are the recommended scopes for different user types:
- Code (read) - recommended for regular users
- Code (read and write) - recommended for developers and contributors
Azure DevOps Server also supports personal access tokens for on-premises installations. You can create a PAT by opening the account settings and clicking Security, then clicking Add to create a new token. Be sure to set the lifespan of the PAT and choose the authorized scopes carefully.
Configuring Azure Git
To configure Azure Git, you'll need to set up a personal access token (PAT) for your user account. This allows you to access Azure Repos without using your username or password directly.
You can use a PAT with Team Foundation Server (TFS) 2017 and newer, which allows control over how a service user accesses specific resources from your git repositories. To generate a PAT, follow these steps:
- On the TFS portal dashboard, click the user settings icon on the top right corner of the page, then click Security.
- Click Add on the Personal Access Token page to see the following screen. Enter a meaningful name as Description.
- Set the lifespan of your token as desired.
- On the Authorized Scopes section, set it to Selected scopes then enable one of the settings that will be assigned to this service user.
- Click Create token to create this PAT with the specified scope.
Make sure to secure your client secret, which is initially inserted in plain-text into the application configuration file. It's recommended to remove the plain-text variable from the configuration file and use an environment variable or Azure KeyVault to secure your application's secret.
TFS 2017 and Newer
If you're using Team Foundation Server (TFS) 2017 or newer, you can use personal access tokens (PATs) for on-premises TFS installations. This allows control over how a service user accesses specific resources from your Git repositories.
To start using PATs, you'll need to generate one for your user account. This can be done by clicking the user settings icon on the top right corner of the TFS portal dashboard and then clicking Security.
You'll then see the Personal Access Token page, where you can add a new token. Enter a meaningful name as the Description, and set the lifespan of your token as desired.
In the Authorized Scopes section, you can choose to select specific scopes for your token. This is where you'll enable the settings that will be assigned to your service user.
Here are the steps to generate a PAT in a concise format:
- Click the user settings icon and select Security.
- Add a new Personal Access Token.
- Enter a meaningful name as Description.
- Set the lifespan of your token.
- Choose the Authorized Scopes.
- Create the token.
Configure Quickstart Application
Configure your Quickstart application to use the PAT Lifecycle Management API by updating the configuration file. You'll need to modify the ENDPOINT configuration variable to point to the correct API endpoint.
Update the ENDPOINT configuration variable to https://vssps.dev.azure.com/{YOUR_COLLECTION_NAME_HERE}/_apis/Tokens/Pats?api-version=6.1-preview. This will allow your application to interact with the PAT Lifecycle Management API.
Next, update the SCOPE configuration variable to "499b84ac-1321-427f-aa17-267ca6975798/.default" to refer to the Azure DevOps resource and all of its scopes.
Here are the specific changes you need to make:
- Update the ENDPOINT configuration variable to https://vssps.dev.azure.com/{YOUR_COLLECTION_NAME_HERE}/_apis/Tokens/Pats?api-version=6.1-preview
- Update the SCOPE configuration variable to "499b84ac-1321-427f-aa17-267ca6975798/.default"
Remember to secure your client secret by removing it from the configuration file and using an environment variable or Azure KeyVault instead.
Pipeline Configuration
To configure your pipeline, it's essential to understand the differences between classic and YAML pipelines. In YAML pipelines, you must explicitly map System.AccessToken into the pipeline using a variable.
To achieve this, follow these steps: Allow scripts to access the OAuth token in the classic pipeline settings.In the YAML pipeline, map the $(System.AccessToken) to a variable if you want to use it in your script.Disable the “Limit job authorization scope to current project” options to access different projects than the current one.
Build a Classic Pipeline
To build a classic pipeline, you need to involve a special system OAuth token available during job execution. This token is used in the code -Headers @{ Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN" }.
The most important part of this code is the Authorization header with the Bearer keyword, not Basic auth. Using a PAT (Personal Access Token) with required privileges can achieve the same result, but it's not necessary when you already have the OAuth token at hand.
To fix the issue of the access token having no value, you need to edit the pipeline and check the "Allow scripts to access the OAuth token" option in the "Run on agent" job settings. This option is usually found by scrolling down on the page.
Building a classic pipeline in a different project than your current one can lead to errors. For instance, if "Limit job authorization scope to current project" is set to ON for non-release pipelines, you'll get an error message saying "project with id (...) does not exist, or you do not have permission to access it".
To resolve this issue, you need to set "Limit job authorization scope to current project for non-release pipelines" to OFF in the project where your pipeline is located.
YAML Pipeline Failed
If your YAML pipeline is failing, it's likely due to a small mistake in the configuration. Make sure you've explicitly mapped System.AccessToken into the pipeline using a variable.
To fix this, you need to pay attention to what you write in the env section of the PowerShell task. A common mistake is using $(Aystem.AccesToken) instead of $(System.AccessToken), which won't work.
In the classic pipeline, you can simply enable "Allow scripts to access the OAuth token" to resolve the issue. However, in the YAML pipeline, you need to map the $(System.AccessToken) to a variable if you want to use it in the script.
Here are the key steps to resolve the YAML pipeline failed issue:
- Enable "Allow scripts to access the OAuth token" in the classic pipeline.
- Map $(System.AccessToken) to a variable in the YAML pipeline.
- Disable the "Limit job authorization scope to current project" option to access different projects.
Sources
- https://help.gitkraken.com/git-integration-for-jira-data-center/creating-personal-access-tokens-gij-self-managed/
- https://www.theserverside.com/video/How-to-set-a-Git-username-and-password-in-Git-config
- https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-personal-access-tokens-via-api
- https://community.databricks.com/t5/administration-architecture/run-workflow-using-git-integration-with-service-principal/td-p/61244
- https://blog.bartekr.net/2020/09/24/using-the-system-oauth-token-in-azure-devops/
Featured Images: pexels.com