Description
What happened?
I would like to understand if it is possible to use an Azure Linux VMs User Assigned Managed Identity to connect an agent.
I've tested registering an agent using a service principal and secret, all works well so that's one step closer to not having to use any PATs.
Next, I'd like to eliminate the requirement for the service principal secret and just use a User Assigned Managed Identity. I've got an Azure Linux VM and are trying to get a minimal set of steps to work.
I've added the User Assigned Managed Identity to the org, and I've added it to the Agent Pool security as an Administrator.
I've tested a minimal script that gets the access token and then calls the rest API such as:
#!/bin/bash
export AZP_TOKEN=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=499b84ac-1321-427f-aa17-267ca6975798' -H Metadata:true | jq -r '.access_token')
export AZP_URL="https://dev.azure.com/myorg"
export RESPONSE=$(curl -s -H "Authorization: Bearer $AZP_TOKEN" -H "Content-Type: application/json" "$AZP_URL/_apis/projects?api-version=6.0-preview")
echo $RESPONSE
This script gives me a successful response so I'm pretty sure the User Assigned Managed Identity does exist in the org and can connect.
Next, in my script that wraps the calls to config.sh and then to svc.sh
The top of the script has the following pertinent values:
#!/bin/bash
export AZP_TOKEN=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=499b84ac-1321-427f-aa17-267ca6975798' -H Metadata:true | jq -r '.access_token')
export AZP_URL="https://dev.azure.com/myorg"
export AZP_AGENT_NAME="agentname"
export AZP_POOL="poolname"
export AZP_AGENT_VERSION=$(curl -s https://api.github.com/repos/microsoft/azure-pipelines-agent/releases | jq -r '.[0].tag_name' | cut -d "v" -f 2)
export AZP_WORK="azpwork"
export USERNAME="managed identity client id"
export TENANTID="tenant id"
Then at the bottom after all the standard script I have:
#!/bin/bash
chown $SUDO_USER $HOME/azp/agent
sudo -u $SUDO_USER ./config.sh --unattended
--agent "${AZP_AGENT_NAME:-$(hostname)}"
--url "$AZP_URL"
--username "$USERNAME"
--tenantid="$TENANTID"
--auth "ServiceIdentity"
--token "$AZP_TOKEN"
--pool "${AZP_POOL:-Default}"
--work "${AZP_WORK:-_work}"
--replace
--acceptTeeEula
./svc.sh install
./svc.sh start
If I run this I end up with an error message:
VS30063: You are not authorized to access https://dev.azure.com
Is it possible to use a User Assigned Managed Identity in this way to connect an agent?
Versions
Latest agent version
Linux Ubuntu 20.04.6 LTS
Environment type (Please select at least one enviroment where you face this issue)
- Self-Hosted
- Microsoft Hosted
- VMSS Pool
- Container
Azure DevOps Server type
dev.azure.com (formerly visualstudio.com)
Azure DevOps Server Version (if applicable)
No response
Operation system
No response
Version controll system
git
Relevant log output
No response