The azuredevops_user_entitlement resource doesn't work with the System Token provided in an Azure DevOps pipeline
#1089
Comments
JustinDroege
changed the title
JustinDroege
changed the title
azuredevops_user_entitlement resource doesn't work with the System Token provided in an Azure DevOps pipeline
|
PAT is a bit different from the |
|
@xuzhang3 Thx for the fast answer. We already knew that and therefore tried adding the Build Service to the Project Collection Administrators and disabled the feature "Limit job authorization scope to current project for non-release pipelines", but this didn’t help us. Do you know if it’s even possible to set the scope for inviting users on a System Token? |
|
@JustinDroege you may need to update the permission for |
|
Hey, I did some research and it seems that Azure DevOps currently doesn't support this use case. I tried all the different configurations mentioned in your link. I also tried the same with the CLI and got the same error. I guess our solution will be to use a technical user with the correct permissions and use the PAT from that user. Thanks for your help. I think we can close this now :) |
|
Also facing the same issue. Any update on that ? |
|
@MoussaBangre Like I already wrote, it seems that this is not possible with a system token. I already tried all constellations which are posted here and no one works. The api just doesn't allow it, therefore the provider cannot solve this problem until the api allows it. We solved this problem with a personal token |
|
Hi, I just solved it by adding the service principal to the Enterprise Service Account groups, and it worked. The open question now is whether this is the least privilege that the service principal should have. I’ll be doing some research into that later on. |
|
Dafuck xD Sounds interesting because I tried to add the build user to project collection admin and this didn't work for me. I will also try your solution |
|
@MoussaBangre |
|
You might be right. Our cases differ mainly because you want to pass the token to the service principal from the system. I'm using OIDC for the service principal, and it worked for me when I added the service principal to the Enterprise Service Account group, which solved the issue. |
Terraform (and Azure DevOps Provider) Version
Terraform Version: 1.8
Azure Devops Provider Version: 1.1.1
Azure Devops Services & Managed Build Agents
Affected Resource(s)
azuredevops_user_entitlementTerraform Configuration Files
Expected Behavior
Currently, we are using the Terraform provider in the context of an Azure DevOps Services pipeline. We are using the
$System.AccessTokento set the environment variableAZDO_PERSONAL_ACCESS_TOKEN. In the provider configuration, we apply the Azure DevOps Organization ID. When the pipeline is executed, we expect to be able to authorize users from the same Entra instance, which is also used by the Azure DevOps Organization, to be part of the Organization.Actual Behavior
We receive an error stating that it is not possible and that the users are not part of the directory. The output looks like this:
Error: Creating user entitlement: Adding user entitlement: (5102) You are trying to invite a user from outside your directory, but something went wrong. Please contact Azure DevOps support.With a personal token (PAT), everything works fine, so the user is part of the directory. We also tried giving the Build Service account all permissions.
Steps to Reproduce
azure_devops_entitlementresource and set a valid UPN.$System.AccessToken:AZDO_PERSONAL_ACCESS_TOKEN=$(System.AccessToken) terraform applyReferences
The text was updated successfully, but these errors were encountered: