DEV Community

Umut
Umut

Posted on

Register Azure DevOps Agents with Service Principal Secret !

#azuredevops #cicd #azure #entraid

Here are the short instructions to add Azure DevOps agents using an app registration secret instead of your PAT!

As a standard you can register your agent by following this documentation

However, when it comes to using the Service Principal (SP) option with the script, things get a little bit more complex.

These other documentations ( 1, 2 ) are very useful, but I just want to provide a clear example of how to use it.

Thanks to these comments on GitHub and Developer Community, I figured out how to use the Service Principal.

Basically, it will look like this when using the script,

./config.sh --unattended \
  --agent "${AZP_AGENT_NAME:-$(hostname)}" \
  --url "${AZP_URL}" \
  --auth "SP" \
  --clientid "yourclientid") \
  --clientsecret "yourclientsecret") \
  --tenantid "yourtenantid") \
  --pool "${AZP_POOL:-Default}" \
  --work "${AZP_WORK:-_work}" \
  --replace \
  --acceptTeeEula & wait $!
Enter fullscreen mode Exit fullscreen mode

Note: The auth parameter should be set to "SP", and you need to provide clientid, clientsecret, and tenantid.

If you are using agent in Docker, you'll also need to adjust the Dockerfile. Here are the parts that should be removed or modified,

if [ -z "${AZP_TOKEN_FILE}" ]; then
if [ -z "${AZP_TOKEN}" ]; then
echo 1>&2 "error: missing AZP_TOKEN environment variable"
exit 1
fi

AZP_TOKEN_FILE="/azp/.token"
echo -n "${AZP_TOKEN}" > "${AZP_TOKEN_FILE}"
fi

unset AZP_TOKEN

./config.sh remove --unattended --auth "PAT" --token $(cat "${AZP_TOKEN_FILE}") && break

export VSO_AGENT_IGNORE="AZP_TOKEN,AZP_TOKEN_FILE"

AZP_AGENT_PACKAGES=$(curl -LsS \
-u user:$(cat "${AZP_TOKEN_FILE}") \
-H "Accept:application/json" \
"${AZP_URL}/_apis/distributedtask/packages/agent?platform=${TARGETARCH}&top=1")

AZP_AGENT_PACKAGE_LATEST_URL=$(echo "${AZP_AGENT_PACKAGES}" | jq -r ".value[0].downloadUrl")

./config.sh --unattended \
--agent "${AZP_AGENT_NAME:-$(hostname)}" \
--url "${AZP_URL}" \
--auth "PAT" \
--token $(cat "${AZP_TOKEN_FILE}") \
--pool "${AZP_POOL:-Default}" \
--work "${AZP_WORK:-_work}" \
--replace \
--acceptTeeEula & wait $!

Important Notes:

  • Pay attention to the VSO_AGENT_IGNORE variable, which helps prevent the client secret from being visible in Azure DevOps (and on the portal). This provides a more secure description of the agent in the portal.
  • Be sure to remove the lines associated with the personal access token (PAT) and adjust the configuration for the Service Principal authentication.
profile
Sentry
 Promoted

Sentry image

Hands-on debugging session: instrument, monitor, and fix

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

RSVP here →

Top comments (0)

profile
Coherence
 Promoted

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Read next

adzhydra profile image

Your Azure Functions Are Bleeding Money - Here's The Fix Nobody Talks About

Adam -

reniciuspagotto profile image

The Importance of CI/CD in Modern Software Development

Renicius Pagotto -

techielass profile image

How to use GitHub Copilot for Terraform

Sarah Lean 🏴󠁧󠁢 -

ruturajmaggirwar profile image

Track changes in API Management using Azure Event Grids

RuturajMaggirwar -