locked
VSTS - Private Agent authentication with PAT (Personal Access Tokens) RRS feed

  • Question

  • Hi,

    I was looking at the impact from moving on an On-Prem TFS to VSTS and was trying out the "new" authentication for agents using Personal Access Tokens as mentionned here:

    https://www.visualstudio.com/en-us/docs/setup-admin/team-services/use-personal-access-tokens-to-authenticate

    I understood that agent just might end dead after a year because maximum expired time is a year. So i wanted to try it out and juste revoked the PAT to check if the error message would be pretty easy to understand and avoir a DEV team to look out for the error for a long time.

    I was suprised that after revoking my PAT, the build and the release would just continue to work using the private agent. Even after restarting the agent and waited for days, this i have just queue a build and the agent processed it with it's release just fine.

    Is that normal? After i revoked the PAT, should it have been a different behavior?

    Monday, November 7, 2016 10:43 AM

Answers

  • That's normal and desired.

    For security reasons, we don't want to persist your PAT on the agent machines.  The PAT is only used to register the agent.  Upon registering we generate a JWT token specifically for that agent which only has permissions to listen to the queue.  That JWT token is encrypted / stored securely and has limited rights.

    The build machine uses that JWT token to listen to the queue.  When the server runs a build, it generates another time bombed (life of the build) token which allows the build machine to get sources and write back to VSTS / TFS.  The token represents to a collection or project level service account (see options tab on definition).  That token is never persisted and only held by the agent and available to tasks.  There is also an option to expose that token to ad-hoc scripts (ps1, cmd, sh).

    If you use agent config.cmd remove, that's why it will prompt you for the PAT again.  Because we didn't store it.  That's the one down side.  But, you can always remove the agent from the web UI and wack the agent folder if you've revoked the PAT.

    hth

    Bryan

    Tuesday, November 8, 2016 10:31 AM

All replies

  • Hello,

    We are checking on the query and would get back to you soon on this.

    Apologize for the inconvenience and appreciate your time and patience in this matter.

     Regards,

    Tuesday, November 8, 2016 7:10 AM
  • That's normal and desired.

    For security reasons, we don't want to persist your PAT on the agent machines.  The PAT is only used to register the agent.  Upon registering we generate a JWT token specifically for that agent which only has permissions to listen to the queue.  That JWT token is encrypted / stored securely and has limited rights.

    The build machine uses that JWT token to listen to the queue.  When the server runs a build, it generates another time bombed (life of the build) token which allows the build machine to get sources and write back to VSTS / TFS.  The token represents to a collection or project level service account (see options tab on definition).  That token is never persisted and only held by the agent and available to tasks.  There is also an option to expose that token to ad-hoc scripts (ps1, cmd, sh).

    If you use agent config.cmd remove, that's why it will prompt you for the PAT again.  Because we didn't store it.  That's the one down side.  But, you can always remove the agent from the web UI and wack the agent folder if you've revoked the PAT.

    hth

    Bryan

    Tuesday, November 8, 2016 10:31 AM
  • Hi Bryan,

    Thanks for clearing this up!

    When i revoked the PAT, i was mostly looking for the "experience" the dev team would have when the token expires.

    Imagine we set up an agent on a build/deploy server using a year long token. I guess that after the year, the next build or release just might end up dead and people might have forgotten about that PAT.

    I wondered if the build would have a clear error message and prevent dev team to start debugging builds for a long time before remembering this PAT expiration.

    Dominc

    Tuesday, November 8, 2016 11:08 AM