Enable OAuth Authentication
First of all, you need to check the option Allow scripts to the OAuth token. This enables scripts and other processes launched by tasks to access the OAuth token through the System.AccessToken variable. This setting is somewhere hidden in the Additional options of the Agent Job:
Use the OAuth token inside the script
Within a PowerShell script you can now retrieve the System.AccessToken variable and use it to authenticate against the Azure DevOps REST API. A simplified example:
#Set authorization headers
Write-Host Set authorization headers
$headers = @{ Authorization = “Bearer $env:SYSTEM_ACCESSTOKEN” }
#Invoke REST API
Write-Host Invoke REST API
Invoke-RestMethod $url -Method $method -Body $body -Headers $headers -ContentType ‘application/json’ -Verbose
Grant access to the Azure DevOps pipeline
In many cases, the Azure DevOps identity that sits behind the System.AccessToken has already the required access rights to perform the API call. However, you might get an exception that states that you don’t have enough permissions. In that scenario, I tried several options, but could only manage to solve it with the help of the product group on Twitter:
If you grant sufficient permissions to the Project Collection Build Service (<Account Name>), your REST API call will succeed.
Cheers,
Toon
Subscribe to our RSS feed