Question: What format should I use for PAT authentication ?

huserben / TfsExtensions

Extensions for TFS 2015+ such as custom Widgets (require TFS 2017) and Build Tasks

MIT License

44 stars 22 forks source link

Question: What format should I use for PAT authentication ? #205

Closed PaulieC1972 closed 2 years ago

PaulieC1972 commented 2 years ago

Hi,

We are unable to use system.accesstoken for auth with this extension so need to use a PAT, but I am not sure what format the PAT should be in. I have tried using the plain PAT string and a Base64 encoded string (in format :PAT) but neither work, giving the error:

[error]No valid Personal Access Token provided. Please check that you specified the token to be used correctly in the configuration.

Is there anything special I need to do here with the PAT ?

Thanks

huserben commented 2 years ago

Hi @PaulieC1972

There is nothing special, the plain PAT is all you need (together with the authentication method "Personal Access Token".

Could you maybe share a snipped of how you setup the task if it doesn't work?

Note: the best way to provide a PAT is via a (secure) variable so you don't store this in plaintext anywhere, as a PAT should be treated like a password.

PaulieC1972 commented 2 years ago

I have an account in Azure Devops with permissions to read code and queue builds. In my pipeline I am fetching the PAT for that account via the AzureKeyVault task and writing that out as a secret variable. I then pass that PAT to the trigger task to queue a pipeline. The PAT isn't stored anywhere apart from the KeyVault.

Passing the PAT as just a plain text string with Authentication method 'Personal Access Token' still results in the same error:

Using following Authentication Method: Personal Access Token

[error]No valid Personal Access Token provided. Please check that you specified the token to be used correctly in the configuration.

I'll keep experimenting

huserben commented 2 years ago

Hmm ok, thanks for explaining.

So the only "special" thing here I can see would be the fact that it's stored in KeyVault and maybe there something is going wrong. Could you create a new temporary PAT and try it once just adding this in plaintext (and then removing it right away) after to see whether this is working? If yes, there might be an issue either with the PAT in KeyVault or how it's read from there.

Also, the pipeline you are triggering is in the same team project of the same organization? Or on a different organization?

And lastly, you have to make sure your PAT has the following scopes: Build (read and execute) (according to the docs)

PaulieC1972 commented 2 years ago

I found the problem and it wasn't related to the extension. I wasn't setting the PAT variable correctly in the yaml :-(

Thanks for the very quick replies, really appreciate it!

huserben commented 2 years ago

Hi @PaulieC1972

glad to hear that you figured it out.

Feel free to add another issue if you face more problems.