azure-devopsazure-pipelinesazure-pipelines-yamlazure-devops-extensions

Cannot use PAT in pipeline

I'm trying to use a PAT to login to devops in a pipeline but I get this error:

WARNING: Failed to store PAT using keyring; falling back to file storage.
WARNING: You can clear the stored credential by running az devops logout.
WARNING: Refer https://aka.ms/azure-devops-cli-auth to know more on sign in with PAT.

The yaml file looks like this:

name: Manage Azure Devops

trigger: none

pool:
  vmImage: "ubuntu-latest"

variables:
  - group: Azure_Devops_Management
  - name: ado_organization
    value: "https://dev.azure.com/org-name/"

steps:
  - script: |
      echo $(ACCESS_TOKEN) | az devops login --organization $(ado_organization)
    displayName: Login and set defaults
    env:
      ADO_PAT_TOKEN: $(ACCESS_TOKEN)

  - script: |
      az devops user list
    displayName: List users

When I run this on my own computer it works fine:

echo "####" | az devops login --organization "https://dev.azure.com/org-name/"

I've tried to add the PAT in clear test, just to verify that it's not a problem with the variable group, but that didn't help either.

I've read several threads about this but can't find anything that have helped. Any help appriciated.

Solution

  • Thanks for pointing me in the right direction, @KrzysztofMadej.

    The pipeline at https://github.com/kmadof/devops-manual/blob/b0c8b2a9afc71829e62e9640f8c49c61e44c9057/stackoverflow/56-print-variables/build.yaml#L20 didn't work as is. I guess it's because this line will wait for input of the PAT to proceed:

    az devops login --organization $org

    But since we store the PAT in AZURE_DEVOPS_EXT_PAT we don't need to run the login command (more info: https://learn.microsoft.com/en-us/azure/devops/cli/log-in-via-pat?view=azure-devops&tabs=windows#use-the-azure_devops_ext_pat-environment-variable).

    Since I need more permissions than what $(System.AccessToken) gives me I could also use my own PAT.

    So this is the final YAML to run az devops commands with a custom PAT:

    name: Manage Azure Devops

trigger: none

pool:
  vmImage: "ubuntu-latest"

variables:
  - group: Azure_Devops_Management

steps:
  - bash: env | sort
  - task: AzureCLI@2
    displayName: Azure CLI
    inputs:
      azureSubscription: "service_connection_name"
      scriptType: "pscore"
      scriptLocation: "scriptPath"
      scriptPath: "./AdoManageInactiveUsers.ps1"
    env:
      AZURE_DEVOPS_EXT_PAT: $(ACCESS_TOKEN)

    And if you don't want to use AzureCLI@2 task this works as well:

     steps:
  - script: |
     az devops configure --defaults organization=$(ado_organization)
     az devops user list
    displayName: List users
    env:
     AZURE_DEVOPS_EXT_PAT: $(ACCESS_TOKEN)

    So the solution from my first YAML is basically to use AZURE_DEVOPS_EXT_PAT and dont run az devops login