Azure DevOps: Restricting Credentials to a Single Repository

You may find yourself in a situation where you need to limit a set of credentials to a single Git repository only - like I did when I was working on a Git-based configuration backup solution for Linux. In such a case, you want the Git credentials you are storing per machine to grant access to that machine’s repository only. As useful as such a setup is from a security point of view, it is currently difficult to implement in Azure DevOps.

Single Repository Credentials

Unfortunately, there does not seem to be an easy way to generate credentials that are valid only for a single repository in Azure DevOps. I would have expected the ability to limit personal access tokens (PATs) or SSH keys to individual projects, but that functionality is simply missing. Repository access can only be granted on the user level. This means that you have to create a new user in Azure AD (if your DevOps instance is backed by AAD) and give this new user permission on the repository used for the backup only. This also means that you need one user account per repository. Quite inelegant.

Creating the User and Generating the PAT

If you are forced to go down this route follow these steps:

  1. In Azure DevOps, create a new project.
    • Optionally rename the project’s default repository. If you plan to create one repo per machine to backup, it might make sense to name the repositories after the machines.
  2. In Azure AD, create a new user.
  3. In Azure DevOps, go to organization settings and add the new user.
    • Give them “Contributor” access to the new project only. You do not want this user to be able to access any other projects in your Azure DevOps.
  4. Log in to Azure DevOps with the new user.
  5. Navigate to the repo and click Generate Git Credentials to create a personal access token (PAT).
    • The PAT can be found in the user settings as Git: https://yourdomain.visualstudio.com/ on the website. You might want to edit it to change the name to something more meaningful like Backup COMPUTERNAME

Azure DevOps Git on the Linux Command Line

Accessing the new repository requires authentication with the Git credentials you generated previously. If you want a seamless push/pull experience without having to manually enter the password you can embed the credentials in the remote URL. The format is as follows:

https://PAT_USER:PAT_PASSWORD@REPO_URL

Example

Given the following:

Repository URL: https://yourdomain.visualstudio.com/your_project/_git/your_repo
PAT user: your_username
PAT password: this_is_typically_a_long_random_string

The DevOps PAT URL to use as Git remote is:

https://your_username:this_is_typically_a_long_random_string@yourdomain.visualstudio.com/your_project/_git/your_repo

To store that PAT URL as Git remote URL run the following command:

git remote add origin PAT_URL

PATs That Don’t Work

It took me a while to figure out that the PAT needs to be generated by clicking “Generate Git Credentials”. At first, I tried PATs created on the Personal Access Tokens page on DevOps, accessible through the URL https://yourdomain.visualstudio.com/_usersSettings/tokens. However, no matter what I tried, those PATs always resulted in HTTP status 403 (forbidden). Many others seem to have had similar problems, as documented by this Stack Overflow question. The official documentation is a bit vague on the subject.

What About GitHub?

The whole thing is much easier and more logical on GitHub because it has Deploy Keys, SSH keys that grant access to a single repository only and are perfect for automation. Just what I needed for my machine configuration backup project.

Azure DevOpsCredentialsGitSecurity

Comments

Related Posts

Top 10 IT Security Tips for Individual Users

Top 10 IT Security Tips for Individual Users
This is a list of simple things that will protect you from nearly all the real-world IT security issues affecting individuals and SOHO users. 1. Install All the Updates What Should You Do? Enable automatic updates wherever possible Don’t use obsolete software versions Why Is It Important? Older software versions often have known security issues for which exploits are readily available. This means that even script kiddies can easily attack large numbers of users.
Security

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware