How can I use a Azure AD Service Principal to connect an Azure DevOps pipeline to an artifact feed?

Copper Contributor
I have the following scenario. I currently have a Nuget Artifact feed that I want to pull from in an Azure DevOps pipeline. The feed is in one DevOps organisation and my pipeline is in another DevOps organisation.

I currently have the following setup which works fine:

- job: build
    displayName: 'Build'
    steps:
    - task: NuGetAuthenticate@0
      inputs:
        nugetServiceConnections: ${{parameters.myArtifactFeed}}

I can then run tasks in later steps that restore packages. The service connection it uses myArtifactFeed is a NuGet type service connection that uses the authentication method External Azure DevOps Server, which I just provide a PAT for.

What I want to do is not use PAT's anymore.After reading this article, I thought I would be able to create a service principal in Entra ID, add it to my org, give it read permission to my artifact feed. https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principa...

But this doesn't seem to work and I can't find any documentation on how to do this.

 

TL:DR - How can create a Azure DevOps Service Connection which uses an Azure Service Principal credentials as it's auth, which can then be used in a NuGetAuthenticate@0 Azure DevOps pipeline task to restore packages.

 

Thanks,

3 Replies

@adan_11 

To use an Azure AD Service Principal to connect an Azure DevOps pipeline to an artifact feed, follow these steps:

  1. Create an Azure AD Service Principal:

    • In your Azure portal, go to Azure Active Directory.
    • Create a new App Registration and note down the Application ID and Tenant ID.
    • Create a Client Secret or use a certificate for authentication.
  2. Assign Permissions:        
    • In your Azure DevOps organization, navigate to the artifact feed.
      Go to "Settings" > "Permissions" and assign the Service Principal the required read permissions to the feed.
  3. Create a Service Connection:      
    • In your Azure DevOps organization, go to "Project Settings" > "Service connections."
    • Create a new service connection, selecting "Azure Resource Manager" as the service connection type.
    • Fill in the details using the Application ID, Tenant ID, and Client Secret created in step 1
  4. In Your Pipeline:

    • Use the NuGetAuthenticate@0 task with the service connection you created as the nugetServiceConnections. No PAT is required, and it will use the Azure AD Service Principal credentials for authentication. Here's a snippet of how it might look in your pipeline YAML:

     

 

jobs:
- job: build
  displayName: 'Build'
  steps:
  - task: NuGetAuthenticate@0
    inputs:
      nugetServiceConnections: 'your-service-connection-name'
  - script: nuget restore ...

 

With this setup, you eliminate the need for a PAT and ensure secure authentication through the Azure AD Service Principal. Make sure to protect your Service Principal credentials and manage their lifecycle appropriately for security.

@Robina I was excited to find the steps you recommended to use a service principal for nuget authentication, but when I try to use an Azure Resource Manager service connection, the pipeline fails to run:

 

The pipeline is not valid. Job TransferNugetPackages: Step NuGetAuthenticate3 input nuGetServiceConnections expects a service connection of type ExternalNuGetFeed but the provided service connection AIFabricAzureConnection is of type azurerm.

 

Setting up an external nuget feed service connection would require a PAT instead of being able to use the service principal like I can with the Resource Manager one. Any idea if there is a way around this?