Open JustinDroege opened 1 month ago
PAT is a bit different from the System.AccessToken
, they have different permission scopes
More details:
https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/guides/authenticating_using_the_personal_access_token
@xuzhang3 Thx for the fast answer. We already knew that and therefore tried adding the Build Service to the Project Collection Administrators and disabled the feature "Limit job authorization scope to current project for non-release pipelines", but this didn’t help us. Do you know if it’s even possible to set the scope for inviting users on a System Token?
@JustinDroege you may need to update the permission for collection build service accounts
More details:
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/access-tokens?view=azure-devops&tabs=yaml
The token's permissions are derived from (a) job authorization scope and (b) the permissions you set on project or collection build service account.
Hey, I did some research and it seems that Azure DevOps currently doesn't support this use case. I tried all the different configurations mentioned in your link. I also tried the same with the CLI and got the same error. I guess our solution will be to use a technical user with the correct permissions and use the PAT from that user. Thanks for your help. I think we can close this now :)
@xuzhang3
Terraform (and Azure DevOps Provider) Version
Terraform Version: 1.8 Azure Devops Provider Version: 1.1.1 Azure Devops Services & Managed Build Agents
Affected Resource(s)
azuredevops_user_entitlement
Terraform Configuration Files
Expected Behavior
Currently, we are using the Terraform provider in the context of an Azure DevOps Services pipeline. We are using the
$System.AccessToken
to set the environment variableAZDO_PERSONAL_ACCESS_TOKEN
. In the provider configuration, we apply the Azure DevOps Organization ID. When the pipeline is executed, we expect to be able to authorize users from the same Entra instance, which is also used by the Azure DevOps Organization, to be part of the Organization.Actual Behavior
We receive an error stating that it is not possible and that the users are not part of the directory. The output looks like this:
Error: Creating user entitlement: Adding user entitlement: (5102) You are trying to invite a user from outside your directory, but something went wrong. Please contact Azure DevOps support.
With a personal token (PAT), everything works fine, so the user is part of the directory. We also tried giving the Build Service account all permissions.
Steps to Reproduce
azure_devops_entitlement
resource and set a valid UPN.$System.AccessToken
:AZDO_PERSONAL_ACCESS_TOKEN=$(System.AccessToken) terraform apply
References
1026