Forum Discussion

adan_11's avatar
adan_11
Copper Contributor
Oct 13, 2023

How can I use a Azure AD Service Principal to connect an Azure DevOps pipeline to an artifact feed?

I have the following scenario. I currently have a Nuget Artifact feed that I want to pull from in an Azure DevOps pipeline. The feed is in one DevOps organisation and my pipeline is in another DevOps organisation.

I currently have the following setup which works fine:

- job: build
    displayName: 'Build'
    steps:
    - task: NuGetAuthenticate@0
      inputs:
        nugetServiceConnections: ${{parameters.myArtifactFeed}}

I can then run tasks in later steps that restore packages. The service connection it uses myArtifactFeed is a NuGet type service connection that uses the authentication method External Azure DevOps Server, which I just provide a PAT for.

What I want to do is not use PAT's anymore.After reading this article, I thought I would be able to create a service principal in Entra ID, add it to my org, give it read permission to my artifact feed. https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops

But this doesn't seem to work and I can't find any documentation on how to do this.

 

TL:DR - How can create a Azure DevOps Service Connection which uses an Azure Service Principal credentials as it's auth, which can then be used in a NuGetAuthenticate@0 Azure DevOps pipeline task to restore packages.

 

Thanks,

  • Robina's avatar
    Robina
    Iron Contributor

    adan_11 

    To use an Azure AD Service Principal to connect an Azure DevOps pipeline to an artifact feed, follow these steps:

    1. Create an Azure AD Service Principal:

      • In your Azure portal, go to Azure Active Directory.
      • Create a new App Registration and note down the Application ID and Tenant ID.
      • Create a Client Secret or use a certificate for authentication.
    2. Assign Permissions:        
      • In your Azure DevOps organization, navigate to the artifact feed.
        Go to "Settings" > "Permissions" and assign the Service Principal the required read permissions to the feed.
    3. Create a Service Connection:      
      • In your Azure DevOps organization, go to "Project Settings" > "Service connections."
      • Create a new service connection, selecting "Azure Resource Manager" as the service connection type.
      • Fill in the details using the Application ID, Tenant ID, and Client Secret created in step 1
    4. In Your Pipeline:

      • Use the NuGetAuthenticate@0 task with the service connection you created as the nugetServiceConnections. No PAT is required, and it will use the Azure AD Service Principal credentials for authentication. Here's a snippet of how it might look in your pipeline YAML:

       

     

    jobs:
    - job: build
      displayName: 'Build'
      steps:
      - task: NuGetAuthenticate@0
        inputs:
          nugetServiceConnections: 'your-service-connection-name'
      - script: nuget restore ...

     

    With this setup, you eliminate the need for a PAT and ensure secure authentication through the Azure AD Service Principal. Make sure to protect your Service Principal credentials and manage their lifecycle appropriately for security.

    • sotteson's avatar
      sotteson
      Icon for Microsoft rankMicrosoft

      Robina I was excited to find the steps you recommended to use a service principal for nuget authentication, but when I try to use an Azure Resource Manager service connection, the pipeline fails to run:

       

      The pipeline is not valid. Job TransferNugetPackages: Step NuGetAuthenticate3 input nuGetServiceConnections expects a service connection of type ExternalNuGetFeed but the provided service connection AIFabricAzureConnection is of type azurerm.

       

      Setting up an external nuget feed service connection would require a PAT instead of being able to use the service principal like I can with the Resource Manager one. Any idea if there is a way around this?

Resources