I am using a Linux self-hosted VM agent with the relevant tools installed to run PowerShell and Az commands.
- This VM has a user-assigned managed identity added.
- The MI has been added as a user to my ADO organisation.
- The MI has administrator rights to my ADO project.
- Az login has been run against the VM, to authenticate into Azure with the MI.
I would like to authenticate to Azure DevOps using the access token from the managed identity rather than using a personal access token. After authenticating, I would like to use the az devops and az repos commands, to automatically control ADO.
Previously, I exported a variable $env:AZURE_DEVOPS_EXT_PAT and used my PAT token, which worked fine. However, when using the same variable and pointing it to the access token variable for the MI. It fails...
This is my current command:
$accessToken = az account get-access-token --resource $mi_client_id --query "accessToken" --output tsv
$env:AZURE_DEVOPS_EXT_PAT = $accessToken
I have also tried these variations.
$accessToken = az account get-access-token --resource $mi_client_id --query "accessToken" --output tsv
write-host $accessToken | az devops login --organization $ado_org_name
The error I get is:
Failed to authenticate using the supplied token.
I have also tried to solve this issue by setting $accesstoken to become a bearer token. It is still the same.
Another way I have attempted, is to output the $accesstoken value to a txt file and run get-content before the az devops login pipe.
Following the details from here, this should be achievable in some way shape or form... Use Azure Active Directory service principals & managed identities
I know the ADO REST API can be used and to put the access token into a JSON header for authorisation. But this will not allow the az commands to work. How can I fix it?
