Client Credentials Flow for Azure DevOps - python-3.x

I have been looking at this issue for days and I know from experience that I usually work these things out but this time I have hit a brick wall.
Scenario
I have a python app that gets instantiated inside an Azure DevOps YAML pipeline.
The app calls the Azure DevOps REST API to create a repository
The app uses a PAT (personal access token) to authenticate
Firstly issue is, a personal access token is connected to me as a human user. If I leave the company the PAT will be revoked which is not good for an app that needs to run in a non-user context.
So now I want to setup my Python app to authenticate to the Azure DevOps REST API using client credentials flow.
My issue is, I can't find consistent information about this.
I have created an app in Azure DevOps:
My plan would be to get this all working in Postman and then port my finding to Python code.
So really, I am looking for help with the setup I do in Postman and I can work the rest out myself in Python.
Many posts talk about Azure DevOps and Azure AAD (Azure Active Directory) together but, seeing as I create my app registration in Azure DevOps, as shown in the picture, I don't see why I would do anything in AAD.
(Note, my Azure DevOps instance was created outside Azure. Azure knows nothing about my Azure DevOps instance)
Any pointers to the CORRECT information about how to do this would be good. And remember, I definitely need the client credentials type flow. There is no human interaction between my app and the Azure DevOps REST API.
Update
Here is what I have in Postman right now:
Note:
You can see the check boxes which I am using to toggle application/x-www-form-urlencoded key / value pairs on and off
the resource - 499b84ac-1321-427f-aa17-267ca6975798 is apparently the GUID for Azure DevOps and doesn't change
If I look inside the HTML from the 500 error I see this: Could not find partition for hostId: 499b84ac-1321-427f-aa17-267ca6975798 which is the DevOps resource GUID mentioned above.
And here is the 500 error I get from Azure Devops:
It's all very confusing but I am sure I just need to tweak one or two things to get it working.

I want to use client_credential flow in Azure DevOps for the same reasons as you! Last time I spoke to support they told me it was planned for Q3 2020. Reviewing the roadmap I can't see it on there at the moment. I also couldn't see any feature requests currently raised on Dev Community so you could consider trying to raise the profile of this issue on there.

Related

Azure DevOps REST API, how to allow Azure Function to create workitems in DevOps project?

I'm creating a schedule-triggered Azure Function which will run tests once a day. If during the run any test fails, I want it to create a bug on a Azure DevOps project which includes a log of the failed tests.
I know I could create a PAT so that it can authenticates with the DevOps REST API but I don't like its downsides:
it can be valid for 1 year at maximum, I will need to remember to extend its expiration period
every bug created like this will have me as its creator
Edit:
I found out I could use a MS Flow - there's a DevOps connector that can create workitems, still it has a downside of having me as workitem's creator but it's not such a pain...
Still would much appreciate to learn about other options...
Is there any better way I can let my Azure Function to create bugs on my DevOps project?
An alternate option would be the use azure logic app along with azure function.
Here the azure function would directly call a azure logic app and the logic app would create a bug workitem .
Refer the following article by Stefan stranger
On how to create logic app which will create the bug. Here we will be using azure webhooks for the creating of bugs.
Now you can either send the data to a storage account where the logic app using some trigger to get the data and then use it to create bug, or you can directly connect to the logic app .
Refer the following article by Laura KokKarinen for this .

Azure services overview

I have many services on the azure plateform .instead of going on azure portal always and checking which services are running i want main parameters of azure services on my dashboard like pipelines successfully ran in data factory,storage used in data lake.so is there any api which can do or fetch this data?
Almost all the Azure resources have REST API exposed to get their status and key metric/attributes, so you need to write some script or code to pull these and display in your UI(may be simple javascript based). For example to get the pipeline run details, refer this

Azure LinkedAuthorizationFailed on Active Directory Account / Key Vault Authentication when running DevOps Server Deployment Template

I am trying to deploy an on-prem instance of Azure DevOps Server to a VM in an Azure Government subscription (which by nature, seems it does not support standard DevOps).
This template is referenced within support material directly from Microsoft:
https://github.com/usri/deploy_DevOps_Server_AzureSQL
All the referenced resources were created from scratch for the purpose of getting this server running.
This requires an AAD account with the associated password stored in a Key Vault. However, every attempt I make to run the template returns the following error on the 'Write VirtualMachines' step (when all other components pass):
The client has permission to perform action 'Microsoft.Compute/images/read' on scope '(MY_SUBSCRIPTION)\(MY_RESOURCEGROUP)\(VM)', however the current tenant '(MY_KEYVAULT)' is not authorized to access linked subscription '(ID in the template with the deployment files)'
This seems to me like the password cannot be retrieved from Key Vault- is it a formatting issue with the Secret? An access control issue somewhere? I've tried many various combinations of both. Hopefully this is just a trivial issue..
I am the original author of the code in that repo. I went ahead and merged a pull request into that repo which should address your issue. I did the following:
Updated the ReadMe file to include information on creating the image
Updated the azuredeploy.json with parameters for Key Vault & image references
Updated the ps1 file to eliminate hard links for KV (a particularly bad oversight on my part, my apologies).
Updated and tested everything for the latest version of Azure DevOps Server 2020
This should fix your issue and several other related ones. I retested the entire deployment from scratch and it worked as designed. A couple of other quick notes:
The USRI and all of it's repositories including the one being utilized here are not Microsoft official repositories. They represent an open-source Azure community dedicated to regulated entity customers. The members which contribute there are mostly Microsoft employees and the repos themselves just represent interesting and sometime niche templates that might be of interest.
This particular repo shows a manner in which Azure templates could be used to deploy services when no internet connection is available or permitted. I just used Azure DevOps Server because it was interesting and regulated industry customers use it.
All the best

Azure Devops release pipeline unauthorized for some projects

I am trying to release multiple projects in 1 solution using Azure Release pipeline
They are all connected to the same Azure Subscription, but some do deploy to the given app service while others give an unauthorized error.
Ive looked into it and i read that adding website_webdeploy_use_scm to the app service should help the Unauthorized error, but this didnt help for me.
What else could i look at? I connect through Azure Devops so i just selected the subscription from the list it automatically gathers from Azure because im logged in using the same logins as i use for Azure Portal
the full error is:
Connected to the remote computer ("xxxx.azurewebsites.windows.net") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_UNAUTHORIZED.
Error: The remote server returned an error: (401) Unauthorized.
according to the error I'd suggest you check service principal permissions. it probably lacks the permissions required to manage those webapps.
So after refresh publishing profile in Azure Portal and trying it again it fixed itself so im not sure if that caused it or not but it worked!
another fix is to delete the slot and make it again

Are there any examples of Authenticating a User against Windows Azure Rest API without certificates

According to the releases a few day ago by Scottgu, its now possible to use the windows azure management api without client certificates.
Are there any examples of doing this?
I have a Azure Cloud Service Package that I would like to let people deploy from my website. Therefore I would like to, from javascript, to authenticate the user to their Azure subscription ( some oauth against the WAAD ) and then by rest api deploy my package for them.
I dont need a concrete examples, but just some pointers on how I could do this.
I dont want users to give me their passwords offcause, therefore i need some guidance on how I can do SSO of the user against WAAD/Windows Azure management api and from there use the access token to deploy the package.
As of today, the Service Management API documentation regarding this new authentication mechanism (http://msdn.microsoft.com/en-us/library/windowsazure/ee460782.aspx) is not updated. Since the new login mechanism is supported in PowerShell which is essentially a REST Wrapper over this API and is open source, one thing you could do is take a look at the source code of the Cmdlets on Github (https://github.com/WindowsAzure/azure-sdk-tools) to see how it is accomplished there and write something of your own (and share it here:)).

Resources