How to restore nuget packages from a private azure devops feed?

3
votes

Background

I have nuget packages in a private nuget feed on azure devops and I try to consume them from on-prem TFS.

This worked, but only for a few hours

In azure devops, I navigated to Artifacts -> Connect to feed and clicked the link "Download NuGet + Credential Provider". When running CredentialProvider.VSS.exe -U URL_TO_FEED I got a jwt token.

In tfs on-prem, I navigated to the "NuGet restore" step in the build definition. At "Feeds and authentication" I selected "Feeds in my NuGet.config" and at "Credentials for feeds outside this account/collection" I clicked "Manage". In the "Add new Team Foundation Server/Team Services Connection" dialog box I selected "Token Based Authentication" and filled in the values. I put the token I got from CredentialProvider.VSS.exe in the field "Personal Access Token".

The nuget packages were restored so everything seemed good, but the next day it didn't work any longer since the token was only valid for a few hours (I decoded it to verify).

Question

How am I supposed to make this work? It seems strange to use a "Personal Access Token" since it shouldn't be related to me as a person (in case I leave the organization for example). The username for the token generated by CredentialProvider.VSS.exe was VssSessionToken which might indicate that it's not a personal token related to me, but I don't know.

1
tfsazure-devopsnuget
potentially you could use Azure Artifacts Credential Provider, at least it helped me with a private feed issuealv

1 Answers

4
votes

The PAT (Personal Access Token) are pretty much the way to go for Azure Artifacts feeds as they are the generic to provide access to different parts of Azure DevOps.

If you are worried about the fact that they are personal it might be a solution to use a service account to generate the tokens.

If you want a PAT that has a longer lifetime it might be easier to create one yourself (see https://docs.microsoft.com/en-us/azure/devops/artifacts/nuget/nuget-exe?view=azure-devops&tabs=new-nav#add-a-feed-to-nuget-2 for instructions)

In short you will create a PAT with the 'Packaging (read)' permission, as to limit the possibility of abuse.

Two things to take into account:

  • PAT's always have an expiration date so you will need to keep track of that.
  • PAT's give access to the Azure DevOps Api as the user that created them, so make sure they are not accessible and limit the permissions as much as possible.