Forum Discussion

ThomasParrishAxi's avatar
ThomasParrishAxi
Copper Contributor
Feb 03, 2023

Grant "Pipeline Resources Use and Manage" for System.AccessToken

I have an Azure DevOps pipeline where I am generating an Azure DevOps environment, then I trigger new pipelines that target these environment.

Before I do this, however, I am allowing pipelines to be used in this environment with the following script:

$EnvironmentId = (terraform output -raw devops_environment_id)
$base64EncodedPat = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("-:$(System.AccessToken)"))
$apiHeaders = @{ Authorization = "Basic $base64EncodedPat"}

Write-Host "Getting environments for ID $EnvironmentId"

# Get all agent pools, and filter by naming convention on name of "environment-$EnvironmentId"
$deploymentTargetsRaw = (Invoke-WebRequest `
    -Headers $apiHeaders `
    -Uri "https://dev.azure.com/MyOrganisation/_apis/distributedtask/pools?poolType=deployment&api-version=7.1-preview.1").Content

$deploymentTargets = $deploymentTargetsRaw | ConvertFrom-Json -Depth 100

$resources = @(
        @{
            resource = @{
                type = "environment"
                id = $EnvironmentId
            }
            allPipelines = @{
                authorized = $true
            }
        }
    )

$deploymentTargets.value `
    | Where-Object { $_.name.StartsWith("environment-$EnvironmentId") } `
    | ForEach-Object { 
        Write-Host "Matched agent ID $($_.id) because it has name $($_.name)"
        $resources += @{
            resource = @{
                type = "agentpool"
                id = $_.id
            }
            allPipelines = @{
                authorized = $true
            }
        }
    }

#Now disable pipeline granting permissions on all agentpools and the environment
$result = Invoke-WebRequest `
    -Headers $apiHeaders `
    -Uri "https://dev.azure.com/MyOrganisation/MyProject/_apis/pipelines/pipelinepermissions?api-version=7.1-preview.1" `
    -Body (ConvertTo-Json $resources) `
    -Method Patch `
    -ContentType "application/json"

Write-Host "Status = $($result.StatusCode) granting resources for $($resources.Length) resources in environment $EnvironmentId"
Write-Host "response from API call`r`n$($result.Content)"

This has, however, stopped working because Azure DevOps have released a new PAT scope Pipeline Resources Use and Manage, which the $(System.AccessToken) does not have.

Does anyone know if it is possible to grant this scope to the $(System.AccessToken)?

Resources