How to change user account for a pipeline running in Azure Pipelines
We are setting up in Azure Pipelines a new pipeline which performs a git commit to an Azure DevOps repository. The pipeline is executed by a Windows self-hosted agent. Agent is already registered using a token from a user with administrative privileges, but when the pipeline is launched we see that the git commit is being executed by a different user which has no permissions to access to the repository. We would like to define a different user for this git commit step.
After reading the Azure Pipelines documentation, I see that there are three different authentication tokens used by an agent:
- Agent registration token: used only when registering the agent in the agent pool
- Listener OAuth token: used by the agent when listening for new jobs
- Job-specific OAuth token: used by the agent when running an individual job
This part of the documentation leads us to think that the job-specific OAuth token is the one we need to change for our purposes:
When a job is available, the agent downloads the job as well as a job-specific OAuth token. This token is generated by Azure Pipelines/TFS for the scoped identity specified in the pipeline. That token is short lived and is used by the agent to access resources (e.g., source code) or modify resources (e.g., upload test results) on Azure Pipelines or TFS within that job.
How or where in Azure Pipelines can we change this job-specific OAuth token which the self-hosted agent uses when executing a pipeline?
Any help or clarification about this topic would be much appreciated.
After digging in the machine where the Azure DevOps agent is running, we have seen that the token used for authenticating against the Azure DevOps is stored in the Windows Credential Manager.
From this window you can remove all the stored credentials, and then you will be prompted for new valid credentials in Azure Devops next time the machine tries to access an Azure Devops repo through Git. Git is using this mechanism because we have installed Git Credential Manager for Windows when setting up Git. It manages authentications to remote repos such as Azure Devops or Github storing the credentials in Windows Credential Manager. As it is stated in this SO question, instead of tweaking credentials from this Window dialog, you can also manage them through command line by typing:
git credential-manager
- I want to publish a zip file and then download it directly from Azure Artifact feed. Which task will help me do that?
- Azure Mac hosted agent: installing gem install, downloading old version gems
- Azure Pipelines: Logging in using Workload Identity Federation
- How to Enable Docker layer caching in Azure DevOps
- How to specify triggers using variables in Azure DevOps Services pipeline yaml
- Whats the difference between a build pipeline and a release pipeline in Azure DevOps?
- The term 'script:' is not recognized as the name of a cmdlet, function, script file, or operable program
- How to finish running playwright tests in pipeline?
- YAML azure piplelines & templates - Iterate through each values splitted from a string passed from main pipeline OR pass array as output with bash
- Azure Devops Jekyll site build fails, worked previously
- Using a multiline string as parameter in an Azure DevOps task template
- Conditional dependent job in Azure Devops YAML pipelines
- How to configure Azure pipeline approval check to deploy to Azure function apps?
- Azure DevOps static web app automatically upgraded its node and npm versions
- Deploying Teams Toolkit app via CI/CD fails with 'This command only works for project created by Teams Toolkit' error
- Pipeline Shows as Failed When Successful
- Yaml manual approval step in jobs.template
- Environment variables as parameter of type object in Azure DevOps pipelines
- Skip Azure Pipeline jobs (or the whole pipeline) if change is from a merge from a specific branch
- Dev env is skipping
- Job Conditions in Azure Pipelines
- Access Denied using Azure App Configuration Task in DevOps Pipeline
- Passing output variable to a template in the same job in Azure devops
- How do I specify playwright chromium version in azure pipeline
- Azure Devops - YAML - not reading .net version from props file
- What is Difference between KubernetesManifest@0 and KubernetesManifest@1 in Yaml pipeline?
- Azure Devops - How to pass database connection string as environment variable dynamically (azure cli)
- Azure yaml trigger pipeline every 14 days on a Saturday
- How can I give a containerRegistry to a DevcontainersCi task in an Azure DevOps YAML Pipeline?
- Updating Node js on internal windows ADO build agent