[BUG]: Connect agent using an Azure Linux VM and it's User Assigned Managed Identity

[colinrippeyfinarne]

What happened?

I would like to understand if it is possible to use an Azure Linux VMs User Assigned Managed Identity to connect an agent.

I've tested registering an agent using a service principal and secret, all works well so that's one step closer to not having to use any PATs.

Next, I'd like to eliminate the requirement for the service principal secret and just use a User Assigned Managed Identity. I've got an Azure Linux VM and are trying to get a minimal set of steps to work.

I've added the User Assigned Managed Identity to the org, and I've added it to the Agent Pool security as an Administrator.

I've tested a minimal script that gets the access token and then calls the rest API such as:

#!/bin/bash

export AZP_TOKEN=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=499b84ac-1321-427f-aa17-267ca6975798' -H Metadata:true | jq -r '.access_token')
export AZP_URL="https://dev.azure.com/myorg"

export RESPONSE=$(curl -s -H "Authorization: Bearer $AZP_TOKEN" -H "Content-Type: application/json" "$AZP_URL/_apis/projects?api-version=6.0-preview")

echo $RESPONSE

This script gives me a successful response so I'm pretty sure the User Assigned Managed Identity does exist in the org and can connect.

Next, in my script that wraps the calls to config.sh and then to svc.sh

The top of the script has the following pertinent values:

#!/bin/bash

export AZP_TOKEN=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=499b84ac-1321-427f-aa17-267ca6975798' -H Metadata:true | jq -r '.access_token')
export AZP_URL="https://dev.azure.com/myorg"
export AZP_AGENT_NAME="agentname"
export AZP_POOL="poolname"
export AZP_AGENT_VERSION=$(curl -s https://api.github.com/repos/microsoft/azure-pipelines-agent/releases | jq -r '.[0].tag_name' | cut -d "v" -f 2)
export AZP_WORK="azpwork"
export USERNAME="managed identity client id"
export TENANTID="tenant id"

Then at the bottom after all the standard script I have:

#!/bin/bash

chown $SUDO_USER $HOME/azp/agent
sudo -u $SUDO_USER ./config.sh --unattended
--agent "${AZP_AGENT_NAME:-$(hostname)}"
--url "$AZP_URL"
--username "$USERNAME"
--tenantid="$TENANTID"
--auth "ServiceIdentity"
--token "$AZP_TOKEN"
--pool "${AZP_POOL:-Default}"
--work "${AZP_WORK:-_work}"
--replace
--acceptTeeEula

./svc.sh install
./svc.sh start

If I run this I end up with an error message:

VS30063: You are not authorized to access https://dev.azure.com

Is it possible to use a User Assigned Managed Identity in this way to connect an agent?

Versions

Latest agent version

Linux Ubuntu 20.04.6 LTS

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

No response

Version controll system

git

Relevant log output

No response

[colinrippeyfinarne]

Well after reading some other issues it turns out all I needed to do was change the --auth parameter from "ServiceIdentity" to "PAT" and my script now works!