Eliminating the Need for PATs in Azure DevOps for Power Platform CI/CD
Introduction
The PAT(Personal Access Token) is the Azure DevOps personal access token which can be generated from your account settings and used for authentication when performing Git operations.
Cons using PATs
- Not conducive for teamwork: If the PAT belongs to a team member who leaves the organization, the release manager or another team member will have to generate their own PAT and update the pipeline.
- Security risks: Similar to a password, a PAT poses risks if leaked. Following the mantra of passwordless authentication is safer.
- Administrative effort: Renewing and updating the pipeline each time the PAT expires requires more administrative effort. The default policy is a 366-day expiration for fine-grained tokens. See New PAT rotation policies preview and optional expiration for fine-grained PATs for more info. Administrators can allow infinite/lifetime PATs, but due to security risks, it is better to have a finite lifetime.
Fortunately, there is a way to eliminate the need for PATs in your Azure DevOps pipelines, streamlining the deployment process.
Using PATs for Git Operations
You may have a task within pipelines involving a script that performs a series of Git commands.
- script: |
echo Commit Solution
git config user.email srv_d_TEST@domainname.co.uk
git config user.name "Service Account (Dev)"
git switch -c feature/-listview
git pull
git add --all
git commit -m "Checked in by Power Platform Release"
echo Push Solution to Repo
git push --all https://$(TEST_PAT)@dev.azure.com/domainname-it/M365/_git/$(SolutionName)
displayName: 'Check in files'
This script configures the user email and name, creates a new branch, pulls the latest changes, adds all the files, commits the changes with a specific message, and pushes the changes to a remote repository. The repository URL is constructed using the TEST_PAT secret variable defined as a variable.
Check in Solution into Azure DevOps Repo Without PAT
Yes, it is possible to perform Git operations without using PAT authentication. Here is how you can do it:
- script: |
echo Commit Solution
git config user.email srv_d_TEST@domainname.co.uk
git config user.name "Service Account (Dev)"
git switch -c feature/-listview
git pull
git add --all
git commit -m"Checked in by Power Platform Release"
echo Push Solution to Repo
git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" push --all
displayName: 'Command Line Script'
To enable it, the build service need to be granted contribute permissions to the Azure DevOps repository.
Granting Access to the Build Service
If the PAT is removed, you may encounter the following error messages:
fatal: could not read Password for ‘https://contoso@dev.azure.com’: terminal prompts disabled
The fix is to add the git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" to the git push as provided in above YAML script.
However, you may receive another error message if the build service does not have the right permissions:
remote: 0000000000aaTF401027: You need the Git ‘GenericContribute’ permission to perform this action. Details: identity ‘Build\ded43716-36ec-42ed-acb1-b3c97a5621b2’, scope ‘repository’.
To enable the Build Service to commit to your repository, you need to grant it the necessary permissions. Follow these steps:
- Navigate to your project, then go to Repositories > Security.
- Paste the GUID of the build from the error message into the permissions search box for user or group.
- Grant the Build Service the following permissions:
- Contribute
- Read
- Create Tag
- Create Branch
Conclusion
By following these steps, you can successfully perform Git operations in your Azure DevOps pipelines without the need for PATs, enhancing security and simplifying management.