I've tried looking for this but can't find the exact answer I'm looking for. I want to clone a git repo in the same AAD backed ADO organisation using a managed identity.
I'm using a pipeline which uses Terraform to deploy a VM, and I want to pass a script into custom_data when I build this VM to clone a repo from my ADO.
I could pass the SYSTEM_ACCESS_TOKEN to the terraform and then use that to clone the repo in the custom_data script but I was wondering if there was a neater way to do it (I'm concerned the token is not secure, which may perhaps be unfounded)
I could pass the SYSTEM_ACCESS_TOKEN to the terraform and then use that to clone the repo in the custom_data script but I was wondering if there was a neater way to do it (I'm concerned the token is not secure, which may perhaps be unfounded)
In fact System access token is more secure than managed identity, it's dynamically generated by Azure Pipelines, and only exists during pipeline run time.
While Managed identity, you need to manage it from Azure portal, but also need to add it to the DevOps organization to grant the permission.
Also, it's more convenient to manage system access token , you can check project scoped identity or collection scoped identity due to your settings, and set the permission directly.
Please check the docs below for your reference: