Managed Identity based authentication for the azure-pipelines scaler

[guidooliveira]

Proposal

Would it be possible to add support or a handler for the scaler to use a managed identity (when running on Azure) to either request a PAT token and use it transparently or to use the Bearer authentication for that. This would make having the PAT token storage(and associated rotation/management) optional, and make the usage a bit more seamless.

Use-Case

For Self-Hosted agents in AKS for example we need to generate a PAT token and store that (preferably in a secure way) and manage the expiration and possible leakage of the said token. for registering the scaler in the Node Pool.

Is this a feature you are interested in implementing yourself?

No

Anything else?

No response

[JorTurFer]

Hi,
Sadly, it's not possible atm because the Azure Pipelines API doesn't support it, the only authentication method supported is the PAT. Once AzPipelines team release another mechanism, we can include it

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

[tomkerkhove]

Hi, Sadly, it's not possible atm because the Azure Pipelines API doesn't support it, the only authentication method supported is the PAT. Once AzPipelines team release another mechanism, we can include it

Closing this issue for now because of the above. Feel free to re-open in the future once this is supported.

[davidharkis]

Support for Managed Identities on Azure DevOps is now in public preview

[guidooliveira]

Amazing!

[davidzenisu]

Awesome, would love to see that feature soon.
Together with federated workload identities (testing that out right now) this would completely remove PATs from our KEDA agent configurations!

[tomkerkhove]

@JorTurFer What do you think? Are you still using ADO at Lidl?

[JorTurFer]

Yes we do, and we have had a problem with an expired PAT this week xD
I think this feature is really useful and we should add it. In tandem with the support (from MSFT) in the agent side, the PATs can be totally removed.
I'm not sure if our infra is ready for it or we need to dome something else as we were talking by slack, but we should try to add the required infra and support it

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

[phmcder]

This looks like it relates to #4853 and #5013

[antiphon0]

+1 to this, just ran into having to replace the PAT by editing the secret in the cluster, which isn't the end of the world - that said, it'd be nice to just not have to worry about it at all. I know the DevOps API is weird with auth, though I think I was able to get my Function App to authenticate with the DevOps API using a managed identity, so I'd think something similar should be possible. https://medium.com/@relente/using-system-managed-identity-to-invoke-azure-devops-rest-api-7833bc988705

[rbnmk]

+1 For this feature. Would love to get rid of PATs at all ouf our clients for Self Hosted agent scenarios on AKS/Container Apps

[JorTurFer]

This feature has been already merged and shipped as part of v2.13, so I close the issue