Job Access Tokens || Authorize REST API calls to access resources in ADO using Job Access Tokens

 Author: Akhil M Anil || DevOps Engineer


For applications that interface with Azure DevOps Services, you must authenticate to gain access to resources like REST APIs. There are different ways to authenticate our applications with Azure DevOps Services. In this article we will use job access token/system access token (SYS_TOKEN) to authenticate into Azure DevOps.

A job access token is a security token that is dynamically generated by Azure Pipelines for each job at run time. The agent on which the job is running uses the job access token in order to access these resources in Azure DevOps. It is fully possible to use System Access Tokens and eliminate the need for PATs in ADO pipeline for authorize the REST API calls to ADO. Furthermore, there is no need to save any credentials to files on disc and the System Access Tokens can be leveraged transiently as environment variables scoped to a specific job.

The token's permissions are derived from

  1. job authorization scope
  2. the permissions you set on project or collection build service account.

Job authorization scope

You can set the job authorization scope to be collection or project.By setting the scope to collection, you choose to let pipelines access all repositories in the collection or organization. By setting the scope to project, you choose to restrict access to only those repositories that are in the same project as the pipeline.

Job authorization scope can be set for the entire Azure DevOps organization or for a specific project

  • To set job authorization scope at the organization level for all projects, choose Organization settings > Pipelines > Settings.
  • To set job authorization scope for a specific project, choose Project settings > Pipelines > Settings.
Enable one or more of the following settings. Enabling these settings are recommended, as it enhances security for your pipelines.
  • Limit job authorization scope to current project for non-release pipelines- This setting applies to YAML pipelines and classic build pipelines and does not apply to classic release pipelines.
  • Limit job authorization scope to current project for release pipelines- This setting applies to classic release pipelines only.

ADO Pipeline Usage of System Access Token

Yaml Code

Python file code

Experimental Connecting to ADO and List all the pipelines

Find source code here: System Access Token
azure-pipelines.yml


pipeline.py


Connect me via:

References: 

Comments

Post a Comment

Popular posts from this blog

Configure an Azure DevOps self-hosted Windows agent in Docker

Image
Author: Akhil M Anil || DevOps Engineer An agent is computing infrastructure with installed agent software that runs job to perform a task/ a set of tasks. There are different types of agents available for the users such as: Microsoft Hosted Agents Self-hosted Agents Scale Set Agents Self-hosted Agents An agent that we set up and manage on our own to run jobs is a  self-hosted agent .  Self-hosted agents give us more control to install dependent software needed for our builds and deployments. Also, machine-level caches and configuration persist from run to run, which can boost speed. We  can install the agent on Linux, macOS, or Windows machines. We can also install an agent on a Docker container. This Article covers configuring an agent on a Docker container and use the agent to run job to perform tasks. Run a self-hosted agent in Docker We can set up a self-hosted agent in Azure Pipelines to run inside a Windows Server Core (for Windows hosts), or Ubuntu container (for Linux hosts)
Read more

Install Java silently using powershell in Azure Windows VM

Image
Written by Akhil M Anil . To install Java silently using PowerShell in Windows VM, follow the following steps: Downloading Java can be done in two ways:   Download your required Java version ( Java Downloads | Oracle ) to a folder in your Windows VM.     Use PowerShell to Download Java to a folder.  Follow the below steps for downloading Java through PowerShell : Initially copy the Download link for your required Java version, Java file name, and Location where you want to download Java in your VM to a notepad Open PowerShell  Run the following command in PowerShell $url = "<your-copied url>" $filename = "<file_name>" $dest = "<outputfile-location\$filename>" Invoke-WebRequest -Uri $url -OutFile $dest For Example:  $url = "https://download.oracle.com/java/18/latest/jdk-18_windows-x64_bin.exe" $filename = "jdk-18_windows-x64_bin.exe"  $dest = "C:\Users\akhilanil\Desktop\Java\$filename" Invoke-WebRequest -Uri
Read more

List of Repositories - Authorize Rest API calls using Job Access Token

Image
  Author: Akhil M Anil || DevOps Engineer Getting the complete list of Repository names  in Azure DevOps Project using REST Api and Publishing as a CSV file. In the last blog I have talked about Authorizing REST API call using Job Access Tokens. If missed, please find that blog here:  Job Access Tokens . In this blog we will use Job Access Token to Authorize Rest API call and retrieve the list of repositories.  Full code can be found in GitHub:  Repository-List Steps: Push the developed pipeline code  (azure-pipelines-repos.yml) and python code  (repos.py) to Azure Repos. We are using  Repositories - List - REST API  to fetch the repository list using python. Job Authorization Scope for Job Access token. In order to access repositories using system access token, we need to change our default job authorization scope. In my last blog I have already mentioned about Job Authorization Scopes, feel free to take a look.  To set job authorization scope at the organization level for all projec
Read more