Managing Azure DevOps Pats for technical users via NodeJs and PostMan
Update in 2023
There is a newer way to connect to Azure DevOps. You should check my current article here — how to connect via an ServicePrincipal.
And now back to the existing post:
What should be archived?
We are looking to use the new APIs announced here to manage PATs from technical users to e.g. rotate the PATs from our selfhosted Agents in Kubernetes, or to connect 3rd party software like SonarQube.
Which API can I use?
In Q1 2021 Microsoft released the token API which is capable to manage PATs for users: https://docs.microsoft.com/en-us/rest/api/azure/devops/tokens/pats?view=azure-devops-rest-6.1
Which flow do I have to use
To manage tokens of your technical users in an non interactive way, you can use the username/password flow. This flow works with no interaction.
You can also have a look at the flask app provided by the Azure DevOps team to manage PATs in an interactive way. See the MS tutorial.
What do I have to prepare?
- As listed in the docs from the interactive flow. First create an application in your Azure AD. See it here. And give it the grant:
Now you need to note down:
- Application (client) ID as client_id
- Directory (tenant) ID as tenant
- The client secret as client_secret
Create an “technical user” in Azure AD and allow it to login with Username and Password flow. See the docs here. If you are an administrator of your Azure tenant you need to allow Username and Password authentication for this user. So in our organisation only a few people are allowed to manage this content. So I can’t give you more insights here, except of this doucmentation.
Here you have to note the following:
- User Principal Name (E-Mail) as username
- Password as password
Add you technical user to Azure DevOps and put it into the required groups where you need a PAT for automation for. How to add a user to Azure DevOps. I’ve used the interactive login for this user a couple of times, so I’m not sure if you need to login at least once. I did it :)
Let’s get started with Postman
Get an AAD Token for your technical user
So here are the official docs, you can easily run them in your local postman You have to configure it like this and Azure AD awnsers with an access_token.
POST - https://login.microsoftonline.com/TENANT/oauth2/v2.0/token BODY - x-www-form-urlencoded
Using the API from Azure DevOps
I’ll demonstrate the list call, as documented here. You have to configure postman like this:
GET - https://vssps.dev.azure.com/YOUR_ORGANISATION/_apis/tokens/pats?api-version=6.1-preview.1
Authorisation - Bearer Token - The access_token from the response earlier
PAT scopes are not mentioned in the API docs
All the pat scopes are listed here Azure DevOps Scope List. I’ve used an excel sheet to create all the scopes in an enum with the substitute function, used in the typescript code.
Now moving over to TypeScript / NodeJS
How to configure your environment for NodeJs.
This code is configured entirely by environment variables, as it is supposed to run in automated kubernetes cron jobs in production.
Corporate proxy and node-fetch
Loading the configuration
We will use a configuration class here. It’s loading the required information from the environment
Getting the Azure AD token
Bringing it all together in an Azure DevopsClient
Responses and Request objects
Let’s use node to manage our tokens
Great isn’t it? We will use this api to manage our required pats now via cron jobs in our kubernetes environment.
You can leave me comments and claps, if you like this article, or if you have suggestions how to improve the tool.
Visit the github repo here: https://github.com/Bjego/AzureDevopsPat