Open marnheus opened 1 year ago
Management of the PAT has been a big obstacle for us, since it makes the aggregator fairly unreliable - in particular because PATs become unusable after the owning user's password changes (interactive login to ADO as that user will restore their access -- however, for the generic ID we use for this, whose password changes frequently for security reasons, this creates quite a challenge). Even with the rotation problem aside, having to log in as the generic ID to create a PAT manually on a schedule, or maybe worse, using an individual human account to create the PAT, is kind of cumbersome.
Managed identity or even Service Principal would move this tool from being "eh, you can try it, but don't count on it", to "yes, this is a good way to solve the problem".
The usage of managed identities to log into Azure DevOps is now available in public preview. What would be great would be to enable system assigned managed identity on the Azure Function app hosting the aggregator and using it to log into Azure DevOps.
That would eliminate the need to manage the PAT and it would make it much more clear in ADO who touched the history using an actual system identity.
Here's the doc : https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops