Forum Discussion
How can I use a Azure AD Service Principal to connect an Azure DevOps pipeline to an artifact feed?
I currently have the following setup which works fine:
- job: build displayName: 'Build' steps: - task: NuGetAuthenticate@0 inputs: nugetServiceConnections: ${{parameters.myArtifactFeed}}
I can then run tasks in later steps that restore packages. The service connection it uses myArtifactFeed is a NuGet type service connection that uses the authentication method External Azure DevOps Server, which I just provide a PAT for.
What I want to do is not use PAT's anymore.After reading this article, I thought I would be able to create a service principal in Entra ID, add it to my org, give it read permission to my artifact feed. https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops
But this doesn't seem to work and I can't find any documentation on how to do this.
TL:DR - How can create a Azure DevOps Service Connection which uses an Azure Service Principal credentials as it's auth, which can then be used in a NuGetAuthenticate@0 Azure DevOps pipeline task to restore packages.
Thanks,
- RobinaIron Contributor
To use an Azure AD Service Principal to connect an Azure DevOps pipeline to an artifact feed, follow these steps:
Create an Azure AD Service Principal:
- In your Azure portal, go to Azure Active Directory.
- Create a new App Registration and note down the Application ID and Tenant ID.
- Create a Client Secret or use a certificate for authentication.
- Assign Permissions:
- In your Azure DevOps organization, navigate to the artifact feed.
Go to "Settings" > "Permissions" and assign the Service Principal the required read permissions to the feed.
- In your Azure DevOps organization, navigate to the artifact feed.
- Create a Service Connection:
- In your Azure DevOps organization, go to "Project Settings" > "Service connections."
- Create a new service connection, selecting "Azure Resource Manager" as the service connection type.
- Fill in the details using the Application ID, Tenant ID, and Client Secret created in step 1
In Your Pipeline:
- Use the NuGetAuthenticate@0 task with the service connection you created as the nugetServiceConnections. No PAT is required, and it will use the Azure AD Service Principal credentials for authentication. Here's a snippet of how it might look in your pipeline YAML:
jobs: - job: build displayName: 'Build' steps: - task: NuGetAuthenticate@0 inputs: nugetServiceConnections: 'your-service-connection-name' - script: nuget restore ...
With this setup, you eliminate the need for a PAT and ensure secure authentication through the Azure AD Service Principal. Make sure to protect your Service Principal credentials and manage their lifecycle appropriately for security.
- sottesonMicrosoft
Robina I was excited to find the steps you recommended to use a service principal for nuget authentication, but when I try to use an Azure Resource Manager service connection, the pipeline fails to run:
The pipeline is not valid. Job TransferNugetPackages: Step NuGetAuthenticate3 input nuGetServiceConnections expects a service connection of type ExternalNuGetFeed but the provided service connection AIFabricAzureConnection is of type azurerm.
Setting up an external nuget feed service connection would require a PAT instead of being able to use the service principal like I can with the Resource Manager one. Any idea if there is a way around this?