microsoft / azure-devops-extension-sdk

Client SDK for developing Azure DevOps extensions
MIT License
127 stars 40 forks source link

Best way to handle secrets in Azure DevOps extensions. #31

Open sreeraj-rajendran opened 4 years ago

sreeraj-rajendran commented 4 years ago

I have an extension in which there is a need to use a higher privileged PAT token (than the currently logged in user) to work with the user entitlements rest api. This is because at this time there is no rest client available for user entitlements, as confirmed here.

What would be the best way to handle the PAT as a secret within extension code? I was planning to use Azure KeyVault as explained here but the value of the secret would still be accessible if I try to debug the extension from the browser (developer tools). This allows the end users to open up developer tools in the browser and then extract the PAT token.

What would be the best way to handle this scenario?

cveld commented 3 years ago

We have a strategy where we create Azure DevOps extensions with custom tasks for all Azure resource types we provide to our stakeholders. Some custom tasks need to utilize elevated operations outside of the permissions we assign to the Azure Service Connections we provide to the stakeholders.

It would be great if Azure DevOps extensions provide a way to encrypt/decrypt secrets during the run without the stakeholders being able to reproduce the encryption/decryption outside our custom tasks. One way would be to introduce a small bag of values that can be added to the marketplace extension which would only be readable during the run of the custom task. One challenge: these should not be retrievable on a custom build agent.

This feature request has been raised here: https://developercommunity2.visualstudio.com/t/Securing-protected-APIs-shwithinsh-/1148893?entry=suggestion&space=21