DEV Community

Umut
Umut

Posted on

Register Azure DevOps Agents with Service Principal Secret !

Here are the short instructions to add Azure DevOps agents using an app registration secret instead of your PAT!

As a standard you can register your agent by following this documentation

However, when it comes to using the Service Principal (SP) option with the script, things get a little bit more complex.

These other documentations ( 1, 2 ) are very useful, but I just want to provide a clear example of how to use it.

Thanks to these comments on GitHub and Developer Community, I figured out how to use the Service Principal.

Basically, it will look like this when using the script,

./config.sh --unattended \
  --agent "${AZP_AGENT_NAME:-$(hostname)}" \
  --url "${AZP_URL}" \
  --auth "SP" \
  --clientid "yourclientid") \
  --clientsecret "yourclientsecret") \
  --tenantid "yourtenantid") \
  --pool "${AZP_POOL:-Default}" \
  --work "${AZP_WORK:-_work}" \
  --replace \
  --acceptTeeEula & wait $!

Enter fullscreen mode Exit fullscreen mode

Note: The auth parameter should be set to "SP", and you need to provide clientid, clientsecret, and tenantid.

If you are using agent in Docker, you'll also need to adjust the Dockerfile. Here are the parts that should be removed or modified,

if [ -z "${AZP_TOKEN_FILE}" ]; then
if [ -z "${AZP_TOKEN}" ]; then
echo 1>&2 "error: missing AZP_TOKEN environment variable"
exit 1
fi

AZP_TOKEN_FILE="/azp/.token"
echo -n "${AZP_TOKEN}" > "${AZP_TOKEN_FILE}"
fi

unset AZP_TOKEN

./config.sh remove --unattended --auth "PAT" --token $(cat "${AZP_TOKEN_FILE}") && break

export VSO_AGENT_IGNORE="AZP_TOKEN,AZP_TOKEN_FILE"

AZP_AGENT_PACKAGES=$(curl -LsS \
-u user:$(cat "${AZP_TOKEN_FILE}") \
-H "Accept:application/json" \
"${AZP_URL}/_apis/distributedtask/packages/agent?platform=${TARGETARCH}&top=1")

AZP_AGENT_PACKAGE_LATEST_URL=$(echo "${AZP_AGENT_PACKAGES}" | jq -r ".value[0].downloadUrl")

./config.sh --unattended \
--agent "${AZP_AGENT_NAME:-$(hostname)}" \
--url "${AZP_URL}" \
--auth "PAT" \
--token $(cat "${AZP_TOKEN_FILE}") \
--pool "${AZP_POOL:-Default}" \
--work "${AZP_WORK:-_work}" \
--replace \
--acceptTeeEula & wait $!

Important Notes:

  • Pay attention to the VSO_AGENT_IGNORE variable, which helps prevent the client secret from being visible in Azure DevOps (and on the portal). This provides a more secure description of the agent in the portal.
  • Be sure to remove the lines associated with the personal access token (PAT) and adjust the configuration for the Service Principal authentication.
πŸ‘‹ While you are here

Reinvent your career. Join DEV.

It takes one minute and is worth it for your career.

Get started

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

πŸ‘‹ Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay