I was googling around all day but I can't find a solution. In Azure DevOps there are build-in Users created for each project. One of those users is a default build agent user (normally named <projectName> Build Service
).
I already automated the creation of repositories an pipelines using the Azure DevOps REST API. The next step would be to grant certain rights to the build-in Build Agent User. I am already struggling to find the build-in user in the API.
So how would one grant rights to this user using the REST API?
The goal would be to add the default build-in build agent user to the contributer role so he can push tags to repositories.
CodePudding user response:
CodePudding user response:
Give rights to Azure DevOps build-in Users
You could use REST API Users - List API: to get the identifier of your group.
"subjectKind": "user",
"domain": "Build",
"principalName": "f0a50df8-5a11-41c3-8d7e-22180f923c80",
"mailAddress": "",
"origin": "vsts",
"originId": "64b9d209-XXXXX-bb46ade01dc",
"displayName": "MyTestProject Build Service (YourOrganizationName)",
The originId
is the Id in below REST API URL.
Then we use the Identities
api.
GET https://vssps.dev.azure.com/fabrikam/_apis/Identities/{id}?queryMembership=None
Then get the descriptor from the json response .Descriptor.Identifier
:
{
"Id": "64b9d209-0deb-4d9c-9e8d-6bb46ade01dc",
"Descriptor": {
"IdentityType": "Microsoft.TeamFoundation.ServiceIdentity",
"Identifier": "0a2bf5f-XXXXd-1e9006e97c76:Build:f0a50df8-5a11-41c3-8d7e-22180f923c80"
},
If you don't have the group id, but have the display name:
GET https://vssps.dev.azure.com/fabrikam/_apis/Identities?searchFactor=DisplayName&factorValue={display name url encoded}&options=None&queryMembership=None
Then get the descriptor from the json response [0].Descriptor.Identifier
.
Now, we have the Identity
, we could use the REST API Access Control Entries - Set Access Control Entries to set the permission for that group:
POST https://dev.azure.com/{organization}/_apis/accesscontrolentries/{securityNamespaceId}?api-version=5.0
Request body:
{
"token":"repoV2/{projectId}/{repoId}/",
"merge":true,
"accessControlEntries":[
{
"descriptor":"Microsoft.TeamFoundation.Identity;{groupIdentifier}",
"allow":2,
"deny":0,
"extendedInfo":{
"effectiveAllow":2,
"effectiveDeny":0,
"inheritedAllow":2,
"inheritedDeny":0
}
}
]
}
Note the id in the url is hardcoded because its a constant. But you can also fetch from the response of
GET https://dev.azure.com/{organization}/_apis/securitynamespaces