使用 System.AccessToken 创建服务端点 [英] Using System.AccessToken to create a service endpoint
问题描述
目前,我们使用特定的用户名和 PAT 来进行 Azure DevOps REST API 调用,但从维护和脆弱性的角度来看,这不是一个好的解决方案.我们想改用 OAuth 令牌.
Currently, we use a specific username and PAT to make Azure DevOps REST API calls, but this isn't a good solution from a maintenance and fragility point of view. We'd like to use the OAuth token instead.
我们遇到问题的一个案例是尝试从我们的管道生成服务端点.我可以使用以下方法从我们的 Powershell 脚本中检查端点是否存在:
One case that we're running into issues is trying to generate service endpoints from our pipeline. I can check if the endpoint exists just fine from our Powershell script using:
Invoke-RestMethod -Uri https://xxx.visualstudio.com/projectname/_apis/serviceendpoint/endpoints?api-version=5.0-preview.2 -Method Get -ContentType "application/json" -Headers @{Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN"} -Verbose -Debug
不幸的是,当我尝试使用以下内容创建端点(如果它不存在)时,我收到 403(禁止).这是电话:
Unfortunately, when I try to use the following to create the endpoint if it doesn't exist, I'm getting a 403 (Forbidden). This is the call:
Invoke-RestMethod -Uri https://xxx.visualstudio.com/projectname/_apis/serviceendpoint/endpoints?api-version=5.0-preview.2 -Method Post -ContentType "application/json" -Headers @{Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN"} -Body $RequestBody -Verbose -Debug
看起来调用它的用户没有创建资源(或至少是服务端点)的权限.我是发布版本的负责人,但我不相信这是我的访问权限,因为我是整个组织的管理员,几乎可以做任何事情.我还修改了内置的 Project Collection Build Service 用户在发布管道上的访问权限,以获得完全访问权限,但仍然存在问题.我想要实现的目标是不可能的吗?
Looks like the user invoking this does not have permissions to create resources (or at least service endpoints). I'm the one running the release, but I don't believe it's my access because I am the admin on the entire organization and can do pretty much anything. I've also modified the built in Project Collection Build Service user's access on the release pipeline to have full access and still get the issue. Is what I am trying to achieve not possible?
推荐答案
OAuth Access Token 是用Project Collection Build Service(xxx)"账号创建的,不是你的账号,所以你需要给Project Collection Build Service(xxx)"创建服务端点的帐户权限.
The OAuth Access Token is created with "Project Collection Build Service(xxx)" account, not your account, so you need to give "Project Collection Build Service(xxx)" account permission to create service endpoint.
这篇关于使用 System.AccessToken 创建服务端点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
