Feature Request: Support Azure DevOps Git Repos via Managed Identity (WIF) Authentication #955
Description
Hi team 👋
We’d like to request support for cloning Azure DevOps (ADO) Git repositories using Managed Identity via Workload Identity Federation (WIF) in AKS, similar to the existing support for GitHub App authentication.
🧩 Context
In enterprise environments—especially those running on Azure Kubernetes Service (AKS)—it's increasingly common to use OIDC-based workload identity to authenticate workloads securely without secrets. While GitSync currently supports GitHub App-based authentication, there is no equivalent support for Azure DevOps using a managed identity.
🚧 Problem
Due to strict security policies, Personal Access Tokens (PATs) are not allowed in our environment. This makes it impossible to use GitSync with ADO repos today, even though the managed identity already has access to the repo via Entra ID.
✅ Proposal
We’d love to see GitSync support a new authentication mode that:
Uses a federated token from the pod’s projected identity (via Azure Workload Identity).
Exchanges that token for an ADO access token via Microsoft Entra ID.
Uses the resulting bearer token to authenticate Git operations (e.g., git clone) against ADO.
This would mirror the GitHub App support already in place and align with Microsoft’s push toward secretless infrastructure.
🔐 Benefits
Enables secure, secretless GitOps workflows with ADO.
Aligns with enterprise security and compliance standards.
Reduces operational overhead of managing PATs or SSH keys.
🙏 Ask
Would the maintainers be open to a PR or collaboration to explore this feature? We’re happy to help test or contribute if needed.
Thanks for your great work on GitSync!