Register Azure DevOps Agents with Service Principal Secret !

Here are the short instructions to add Azure DevOps agents using an app registration secret instead of your PAT!

As a standard you can register your agent by following this documentation

However, when it comes to using the Service Principal (SP) option with the script, things get a little bit more complex.

These other documentations ( 1, 2 ) are very useful, but I just want to provide a clear example of how to use it.

Thanks to these comments on GitHub and Developer Community, I figured out how to use the Service Principal.

• https://github.com/microsoft/azure-pipelines-agent/issues/4641

• https://developercommunity.visualstudio.com/t/Self-hosted-agent-on-docker-setup-script/10650567?entry=problem&q=remote+testing+docker+compose

Basically, it will look like this when using the script,

./config.sh --unattended \
  --agent "${AZP_AGENT_NAME:-$(hostname)}" \
  --url "${AZP_URL}" \
  --auth "SP" \
  --clientid "yourclientid") \
  --clientsecret "yourclientsecret") \
  --tenantid "yourtenantid") \
  --pool "${AZP_POOL:-Default}" \
  --work "${AZP_WORK:-_work}" \
  --replace \
  --acceptTeeEula & wait $!

Note: The auth parameter should be set to "SP", and you need to provide clientid, clientsecret, and tenantid.

If you are using agent in Docker, you'll also need to adjust the Dockerfile. Here are the parts that should be removed or modified,

if [ -z "${AZP_TOKEN_FILE}" ]; then
if [ -z "${AZP_TOKEN}" ]; then
echo 1>&2 "error: missing AZP_TOKEN environment variable"
exit 1
fi

AZP_TOKEN_FILE="/azp/.token"
echo -n "${AZP_TOKEN}" > "${AZP_TOKEN_FILE}"
fi

unset AZP_TOKEN

./config.sh remove --unattended --auth "PAT" --token $(cat "${AZP_TOKEN_FILE}") && break

export VSO_AGENT_IGNORE="AZP_TOKEN,AZP_TOKEN_FILE"

AZP_AGENT_PACKAGES=$(curl -LsS \
-u user:$(cat "${AZP_TOKEN_FILE}") \
-H "Accept:application/json" \
"${AZP_URL}/_apis/distributedtask/packages/agent?platform=${TARGETARCH}&top=1")

AZP_AGENT_PACKAGE_LATEST_URL=$(echo "${AZP_AGENT_PACKAGES}" | jq -r ".value[0].downloadUrl")

./config.sh --unattended \
--agent "${AZP_AGENT_NAME:-$(hostname)}" \
--url "${AZP_URL}" \
--auth "PAT" \
--token $(cat "${AZP_TOKEN_FILE}") \
--pool "${AZP_POOL:-Default}" \
--work "${AZP_WORK:-_work}" \
--replace \
--acceptTeeEula & wait $!

Important Notes:

• Pay attention to the VSO_AGENT_IGNORE variable, which helps prevent the client secret from being visible in Azure DevOps (and on the portal). This provides a more secure description of the agent in the portal.
• Be sure to remove the lines associated with the personal access token (PAT) and adjust the configuration for the Service Principal authentication.