In our Azure DevOps implementation, we have the need to move packages between package management Feeds that live in different organizations. Our current implementation uses 2 Personal Access Tokens (PATs), one with read access to the source organizations' Feeds and the second with write access to the destination organizations' Feeds. This solution works for our current needs, but because of the maintenance required around using PATs, we are exploring alternative implementations.
One avenue that we are currently looking at is using using the SYSTEM_ACCESSTOKEN as described at https://docs.microsoft.com/en-us/azure/devops/pipelines/scripts/powershell?view=vsts#oauth, among other places. We're using this token in other pipelines that operate within the same organization and it works as expected. In some cases we've had to add the "Project Collection Build Service ({org-name})" user to the appropriate security groups to access the functionality needed.
The pipeline that performs the move lives in the destination organization. I'm assuming that if we use the SYSTEM_ACCESSTOKEN in our powershell, then it will run under the credentials of the "Project Collection Build Service ({destination-org-name})", in which case it likely won't have access to the Feeds in the source organization. Is this a correct assumption? If so, is there some way to get the OAuth Token for the source organization somehow?
If there is not a way to get the OAuth Token for the source organization, is there some other way that we can move packages between Feeds that live in other organizations? Is our current implementation the only way to accomplish this?
