Forum Discussion
ThomasParrishAxi
Feb 03, 2023Copper Contributor
Grant "Pipeline Resources Use and Manage" for System.AccessToken
I have an Azure DevOps pipeline where I am generating an Azure DevOps environment, then I trigger new pipelines that target these environment.
Before I do this, however, I am allowing pipelines to be used in this environment with the following script:
$EnvironmentId = (terraform output -raw devops_environment_id) $base64EncodedPat = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("-:$(System.AccessToken)")) $apiHeaders = @{ Authorization = "Basic $base64EncodedPat"} Write-Host "Getting environments for ID $EnvironmentId" # Get all agent pools, and filter by naming convention on name of "environment-$EnvironmentId" $deploymentTargetsRaw = (Invoke-WebRequest ` -Headers $apiHeaders ` -Uri "https://dev.azure.com/MyOrganisation/_apis/distributedtask/pools?poolType=deployment&api-version=7.1-preview.1").Content $deploymentTargets = $deploymentTargetsRaw | ConvertFrom-Json -Depth 100 $resources = @( @{ resource = @{ type = "environment" id = $EnvironmentId } allPipelines = @{ authorized = $true } } ) $deploymentTargets.value ` | Where-Object { $_.name.StartsWith("environment-$EnvironmentId") } ` | ForEach-Object { Write-Host "Matched agent ID $($_.id) because it has name $($_.name)" $resources += @{ resource = @{ type = "agentpool" id = $_.id } allPipelines = @{ authorized = $true } } } #Now disable pipeline granting permissions on all agentpools and the environment $result = Invoke-WebRequest ` -Headers $apiHeaders ` -Uri "https://dev.azure.com/MyOrganisation/MyProject/_apis/pipelines/pipelinepermissions?api-version=7.1-preview.1" ` -Body (ConvertTo-Json $resources) ` -Method Patch ` -ContentType "application/json" Write-Host "Status = $($result.StatusCode) granting resources for $($resources.Length) resources in environment $EnvironmentId" Write-Host "response from API call`r`n$($result.Content)"
This has, however, stopped working because Azure DevOps have released a new PAT scope Pipeline Resources Use and Manage, which the $(System.AccessToken) does not have.
Does anyone know if it is possible to grant this scope to the $(System.AccessToken)?
- Matthias780Copper ContributorWe have exactly the same issue.
- ThomasParrishAxiCopper Contributor
Matthias780 I've also raised a support ticket on this same issue https://developercommunity.visualstudio.com/t/SystemAccessToken-missing-Pipeline-Res/10271637