We are setting up in Azure Pipelines a new pipeline which performs a git commit to an Azure DevOps repository. The pipeline is executed by a Windows self-hosted agent. Agent is already registered using a token from a user with administrative privileges, but when the pipeline is launched we see that the git commit is being executed by a different user which has no permissions to access to the repository. We would like to define a different user for this git commit step.
After reading the Azure Pipelines documentation, I see that there are three different authentication tokens used by an agent:
- Agent registration token: used only when registering the agent in the agent pool
- Listener OAuth token: used by the agent when listening for new jobs
- Job-specific OAuth token: used by the agent when running an individual job
This part of the documentation leads us to think that the job-specific OAuth token is the one we need to change for our purposes:
When a job is available, the agent downloads the job as well as a job-specific OAuth token. This token is generated by Azure Pipelines/TFS for the scoped identity specified in the pipeline. That token is short lived and is used by the agent to access resources (e.g., source code) or modify resources (e.g., upload test results) on Azure Pipelines or TFS within that job.
How or where in Azure Pipelines can we change this job-specific OAuth token which the self-hosted agent uses when executing a pipeline?
Any help or clarification about this topic would be much appreciated.
