Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Current »

Table Of Content

Overview:

Azure Git Repositories (Azure Repos) allow developers to manage their source code through Git repositories hosted on Azure DevOps. Access to these repositories can be secured and managed using Personal Access Tokens (PATs). Tokens are used to authenticate and authorize access to the repositories without the need for a user to manually enter credentials. However, these tokens have an expiry date for security reasons.

Token Expiry

  1. Personal Access Tokens (PATs):

    • Purpose: PATs are used to authenticate access to Azure Repos and other Azure DevOps resources.

    • Creation: Tokens can be generated from the Azure DevOps portal under user settings.

    • Scope: Tokens can be scoped to specific permissions, such as read, write, or manage, ensuring minimal required access is granted.

  2. Expiry Management:

    • Default Expiry: When creating a PAT, the user must set an expiry duration. The default durations are typically 30 days, 90 days, or custom durations up to a maximum of one year.

    • Notification: Azure DevOps provides notifications before the token expires. Users receive emails warning them of the impending expiry so they can renew or create a new token.

    • Auto-Renewal: PATs cannot be auto-renewed for security reasons. Users must manually regenerate the token before it expires to maintain continuous access.

  3. Token Lifecycle:

    • Creation: A user generates a new PAT through the Azure DevOps portal, selecting the necessary scope and expiry duration.

    • Usage: The token is then used in place of passwords for API access, Git operations (clone, push, pull), and other authenticated interactions with Azure DevOps services.

    • Renewal: Before the token expires, users must generate a new token to replace the old one. This involves creating a new PAT and updating any services or scripts that use the old token.

    • Revocation: Users can revoke a PAT at any time if it is compromised or no longer needed.

  4. Security Considerations:

    • Minimal Scope: Assign the least privilege necessary for the task to reduce the risk if the token is compromised.

    • Short Lifespan: Use the shortest feasible lifespan for tokens to limit the window of exposure.

    • Monitoring: Regularly monitor and audit the use of PATs within the organization.

    • Storage: Securely store PATs, avoiding hardcoding them in scripts or source code. Use environment variables or secure vault services for storage.

  5. Automated Workflows:

    • CI/CD Pipelines: When using PATs in CI/CD pipelines, ensure they are securely managed and rotated regularly.

    • Service Principals: For long-term, automated access, consider using service principals or managed identities with more robust security and lifecycle management features.

  • No labels