0

I am following this question Are TFS Build Agent User Capabilities' Values Obtainable Within Build Steps? , specifically Seva's answer, with direct REST API requests:

$tfsUrl = $env:SYSTEM_TEAMFOUNDATIONCOLLECTIONURI
$token = $env:SYSTEM_ACCESSTOKEN
$authExpr = "whatever:$token"
$bytes = [System.Text.Encoding]::UTF8.GetBytes($authExpr)
$base64 = [System.Convert]::ToBase64String($bytes)
$headers = @{"Authorization" = "Basic $base64"}
$poolUrl = "${tfsUrl}_apis/distributedtask/pools/"
$response = Invoke-RestMethod $poolUrl -Headers $headers
if ($response.count -eq 0)
{
  throw "No pools are accessible. No permissions?"
}

When run with my personal access token, this code returns an array of pools, in JSON. However, when run on a build agent as a build step using the agent-provided $env:SYSTEM_ACCESSTOKEN, the response.count is zero and there are no pools returned.

Now, the answer linked above suggests that this is to be expected, and I need to grant permissions to the special user identity that the agent uses to communicate with TFS. Using the ${tfsUrl}_api/_common/GetUserProfile REST endpoint (from the agent) I confirmed that this user is indeed named "Project Collection Build Service (ProjectCollectionName)", with ProjectCollectionName part being specific to a TFS instance.

So I go to configuration, Agent Queues, select my queue, Roles, Add, type until "Project Collection Build Service (ProjectCollectionName)" is visible, click it, check that Role is Reader, press Add. And the result is Sorry, we couldn't add the Identity. Please try a different Identity.. Same error if I go to Manage pools.

While I can use explicit authentication with username/password or a personal access token, I would really prefer to use the agent's authentication, because unlike stored credentials it's always supposed to work - you know, passwords change, tokens expire, likely at the least convenient moment.

So, is it possible?

Edit: this happens with TFS 2018 update 3

Matt
  • 3,658
  • 3
  • 14
  • 27
altxt
  • 1
  • 2
  • Do you have the `Allow agent access to OAuth token` option selected in your build definition? If not, `System.AccessToken` is blank. Ex: https://stackoverflow.com/questions/41004090/vsts-allow-scripts-to-access-oauth-token-in-release-managment – Daniel Mann Nov 08 '18 at 23:33
  • @Daniel I do. Otherwise, TFS returns a TF400813: Resource not available for anonymous access. Client authentication required. – altxt Nov 09 '18 at 09:22
  • Seva here :) Haven't tried on TFS 2018u3, only on u2. – Seva Alekseyev Dec 12 '18 at 15:49
  • You installed the build agent to run as a service? On the build server, when you look at services, the account the agent is running as is "Project Collection Build Service (ProjectCollectionName)"? – Matt Jan 18 '19 at 18:16
  • @Matt Yes, the agent is running as a service, and no, it's running as a normal AD user account, not "Project Collection Build Service (ProjectCollectionName)". Unfortunately, the agent does not seem to use this user account to communicate with TFS, and that's the problem. Otherwise I would just grant all the necessary permissions to this user. – altxt Jan 22 '19 at 09:33
  • I tried to authenticate with username and password, unsuccessfully. The only option that remains is the personal access token which is guaranteed to expire within a year. – altxt Feb 12 '19 at 12:04

0 Answers0