【发布时间】:2021-06-03 17:47:08
【问题描述】:
我们正在使用 REST API 方法 (PUT) 通过为 PAT 分配最低级别的访问权限(范围)来更新 ADO 环境中的现有 AWS 服务连接。
访问级别是
- 服务连接(读取、查询和管理)
- 令牌(读取、更新和撤销)
直到过去几天,这都没有问题。我们能够使用 Azure Pipelines 定期更新服务连接。但从过去几天开始,它开始抛出 401 Unauthorized 错误。但它以前工作正常。不确定他们 (Azure) 是否在最新版本中进行了更改。
我试图通过一一增加访问范围的级别(在某个时候分配所有范围)来解决问题,但没有运气。但是,我能够更新服务连接,如果我将访问级别更改为完全访问而不是自定义定义。但授予个人访问令牌的完整访问权限并不是一个好主意。
我在这里遗漏了什么还是有办法以最低级别的访问控制更新服务连接?
此外,完全访问权限与使用所有范围自定义定义之间有什么区别,因为完全访问权限工作正常,但使用所有范围自定义定义不起作用。
下面是sn-p的代码供大家参考
$OrganizationName = ""
$ProjectName = ""
$PAT = ""
$AccessKeyID = ""
$SecretAccessKey = ""
$Serviceconnectionname = ""
function Update-AWSServiceConnection {
Write-Host "Executing the Update Service Connection Script.."
# Create the header to authenticate to Azure DevOps
Write-Host "Create the header to authenticate to Azure DevOps"
$token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($PAT)"))
$Headers = @{
Authorization = "Basic $token"
}
# Get the Project ID
Write-Host "Construct the API URL to get the project ID.."
$project = "https://dev.azure.com/" + "$OrganizationName/_apis/projects/$ProjectName ?api-version=6.0"
Write-Host "Project API URL :: $project"
try {
Write-Host "Get the Project [$ProjectName] ID.."
$response = Invoke-RestMethod -Uri $project -Headers $Headers -Method GET
$ProjectID = $response.id
if (!$ProjectID) {
Write-Host "ProjectID value is null"
Write-Error "Script step has been aborted." -ErrorAction stop
} else {
Write-Host "Project ID :: $ProjectID"
}
}
catch {
$ErrorMessage = $_ | ConvertFrom-Json
throw "Could not Get the project [$ProjectName] ID: $($ErrorMessage.message)"
}
# Get Endpoint ID Details
$endpoint = "https://dev.azure.com/" + "$OrganizationName/$ProjectName/_apis/serviceendpoint/endpoints?endpointNames=$Serviceconnectionname&api-version=6.0-preview.4"
try {
Write-Host "Get the Service Connection [$Serviceconnectionname] ID.."
$response = Invoke-RestMethod -Uri $endpoint -Headers $Headers -Method GET
$endpointId = $response.value.id
if (!$endpointId) {
Write-Host "Service Endpoint ID value is null"
Write-Error "Script step has been aborted." -ErrorAction stop
} else {
Write-Host "Service Endpoint ID :: $endpointId"
}
}
catch {
$ErrorMessage = $_ | ConvertFrom-Json
throw "Could not Get the service connection [$Serviceconnectionname] ID: $($ErrorMessage.message)"
}
# Create a body for the API call
$url = "https://dev.azure.com/" + "$OrganizationName/_apis/serviceendpoint/endpoints/$endpointId ?api-version=6.1-preview.4"
$body = @"
{
"data": {},
"id": "$endpointId",
"name": "UpdatedServiceEndpoint",
"type": "AWS",
"url": "https://aws.amazon.com/",
"description": null,
"authorization": {
"parameters": {
"username": "$AccessKeyId",
"password": "$SecretAccessKey"
},
"scheme": "UsernamePassword",
},
"isShared": false,
"isReady": true,
"owner": "Library",
"serviceEndpointProjectReferences": [
{
"name": "$Serviceconnectionname",
"projectReference": {
"id": "$ProjectID",
"name": "$ProjectName"
}
}
]
}
"@
try {
Write-Host "Updating the Service Connection [$Serviceconnectionname]"
$response = Invoke-RestMethod -Uri $url -Headers $Headers -Method PUT -Body $body -ContentType application/json
Write-Host "Connection Updated"
$response
}
catch {
Write-Host "An error occurred:"
Write-Host $_
}
}
Update-AWSServiceConnection
任何建议或 cmets 将不胜感激。
【问题讨论】:
标签: azure-devops