Azure DevOps: Restricting Credentials to a Single Repository

You may find yourself in a situation where you need to limit a set of credentials to a single Git repository only - like I did when I was working on a Git-based configuration backup solution for Linux. In such a case, you want the Git credentials you are storing per machine to grant access to that machine’s repository only. As useful as such a setup is from a security point of view, it is currently difficult to implement in Azure DevOps.

Single Repository Credentials

Unfortunately, there does not seem to be an easy way to generate credentials that are valid only for a single repository in Azure DevOps. I would have expected the ability to limit personal access tokens (PATs) or SSH keys to individual projects, but that functionality is simply missing. Repository access can only be granted on the user level. This means that you have to create a new user in Azure AD (if your DevOps instance is backed by AAD) and give this new user permission on the repository used for the backup only. This also means that you need one user account per repository. Quite inelegant.

Creating the User and Generating the PAT

If you are forced to go down this route follow these steps:

  1. In Azure DevOps, create a new project.
    • Optionally rename the project’s default repository. If you plan to create one repo per machine to backup, it might make sense to name the repositories after the machines.
  2. In Azure AD, create a new user.
  3. In Azure DevOps, go to organization settings and add the new user.
    • Give them “Contributor” access to the new project only. You do not want this user to be able to access any other projects in your Azure DevOps.
  4. Log in to Azure DevOps with the new user.
  5. Navigate to the repo and click Generate Git Credentials to create a personal access token (PAT).
    • The PAT can be found in the user settings as Git: https://yourdomain.visualstudio.com/ on the website. You might want to edit it to change the name to something more meaningful like Backup COMPUTERNAME

Azure DevOps Git on the Linux Command Line

Accessing the new repository requires authentication with the Git credentials you generated previously. If you want a seamless push/pull experience without having to manually enter the password you can embed the credentials in the remote URL. The format is as follows:

https://PAT_USER:PAT_PASSWORD@REPO_URL

Example

Given the following:

Repository URL: https://yourdomain.visualstudio.com/your_project/_git/your_repo
PAT user: your_username
PAT password: this_is_typically_a_long_random_string

The DevOps PAT URL to use as Git remote is:

https://your_username:this_is_typically_a_long_random_string@yourdomain.visualstudio.com/your_project/_git/your_repo

To store that PAT URL as Git remote URL run the following command:

git remote add origin PAT_URL

PATs That Don’t Work

It took me a while to figure out that the PAT needs to be generated by clicking “Generate Git Credentials”. At first, I tried PATs created on the Personal Access Tokens page on DevOps, accessible through the URL https://yourdomain.visualstudio.com/_usersSettings/tokens. However, no matter what I tried, those PATs always resulted in HTTP status 403 (forbidden). Many others seem to have had similar problems, as documented by this Stack Overflow question. The official documentation is a bit vague on the subject.

What About GitHub?

The whole thing is much easier and more logical on GitHub because it has Deploy Keys, SSH keys that grant access to a single repository only and are perfect for automation. Just what I needed for my machine configuration backup project.

Azure DevOpsCredentialsGitSecurity

Comments

Related Posts

Converting Mercurial Repositories to Git on Windows

Converting Mercurial Repositories to Git on Windows
If you work with text, you need version control. That rule applies regardless of whether you write code or poetry (some might argue that those two are the same, anyway). Ignoring the CVS and SVN dinosaurs two distributed version control systems are being regarded as state of the art: Git and Mercurial. Functionality-wise they are nearly identical, but it seems that Git, with its open-source background, is poised to take over the enterprise, too, where Mercurial used to be strongest.
Software development

Linux Config File Version Control & Backup on GitHub

Linux Config File Version Control & Backup on GitHub
Linux famously stores all of its settings in files, making it easy to inspect, query, or backup the configuration with a plethora of tools, including Git. However, given that Git was conceived by the Linux community, there is surprisingly little integration. As a developer, I am used to managing everything with Git. Depending on my current degree of paranoia, I may put nearly or literally everything into version control. So where’s Git for Linux config files?
Software development

Latest Posts

Scripted WordPress to Hugo Migration

Scripted WordPress to Hugo Migration
After having published in WordPress for almost 20 years, it was time for a change. This site is now rendered by Hugo, a static website generator built for Markdown content hosted in a Git repository. The migration from WordPress (HTML) to Hugo (Markdown) was far from trivial. Since I couldn’t find any tool for the job, I developed my own set of migration scripts that fully automate the migration process. You can find them on GitHub along with extensive documentation.
Website