0

I need to prepare automation for checking some Azure Devops object details like: list of az devops projects, list of projects, details about pipelines etc. I have powershell code prepared, I have SPN created in Azure AD, I grant API permissions for SPN (Azure Devops full access - application permissions). I am using below presented code to login as SPN account:

$SecuredPassword = ConvertTo-SecureString -String $AppSecret -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AppId, $SecuredPassword
Connect-AzAccount  -ServicePrincipal -TenantId $TenantId -Credential $Credential

then I am using code below to generate token and send request to Azure devops rest api endpoint. I still facing error messages like: TF400813: The user is not authorized to access this resource. and 401 - Uh-oh, you do not have access. The request requires authentication.

$token = (Get-AzAccessToken -ResourceUrl "499b84ac-1321-427f-aa17-267ca6975798").Token
$URL = 'https://dev.azure.com/orgname/ADOorgName/_apis/pipelines/52/runs?api-version=6.0-preview.1'
$header = @{
    'Authorization' = 'Bearer ' + $token
    'Content-Type' = 'application/json'
}
$body = @"
  {
    "resources": {
        "repositories": {
            "self": {
                "refName": "refs/heads/main"
            }
        }
    }
  }
"@

Invoke-RestMethod -Method Post -Uri $URL -Headers $header -Body $body
tester81
  • 533
  • 2
  • 9
  • 28

1 Answers1

0

While I'm not familiar with the SPN approach, read: if this approach will work.

I do have experience with running several Azure DevOps APIs with a personal access token (PAT) or Oauth2 (while running a pipelines / custom apps).

I can advice you to look at the security configuration of this user in your Azure DevOps organization / project.

Is this SPN user part of the organization / project? If not, please add it and create the a PAT with proper right.

The documentation for the API in your example states PAT as only option:

accessToken
Personal access token. Use any value for the user name and the token as the password.

Source: https://learn.microsoft.com/en-us/rest/api/azure/devops/pipelines/pipelines/list?view=azure-devops-rest-7.0#security

promicro
  • 1,280
  • 7
  • 14