I'm trying to check when a PAT token is expiring so I can create an alert/notification if a specific token is expiring soon and replace it before it expires.
There is an API to query all PAT within a organization: https://docs.microsoft.com/en-us/rest/api/azure/devops/tokenadmin/personal%20access%20tokens/list?view=azure-devops-rest-5.1
Sadly this API requires write permissions on the org itself which I don't have. With the script below I get the following error:
azure.devops.exceptions.AzureDevOpsServiceError: Access Denied: XXX needs the following permission(s) to perform this action: Edit instance-level information
This brings me to my question: Is there a way / an API to query my personal PATs without permissions on the org itself?
Here the current draft of the Python script to check the PAT for reference:
#!/usr/bin/env python
from msrest.authentication import BasicAuthentication
from azure.devops.connection import Connection
# Fill in with your personal access token and org URL
personal_access_token = 'XXX'
organization_url = 'https://dev.azure.com/XXX'
# Create a connection to the org
credentials = BasicAuthentication('', personal_access_token)
connection = Connection(base_url=organization_url, creds=credentials)
# Get personal subject_descriptor by mail
graph_client = connection.clients_v6_0.get_graph_client()
user_descriptor = None
continuation_token = None
while True:
graph_response = graph_client.list_users(continuation_token=continuation_token)
continuation_token = graph_response.continuation_token
for u in graph_response.graph_users:
if u.mail_address == "my@mail":
user_descriptor = u.descriptor
break
if continuation_token == None:
break
# Get a client for token admin
token_admin_client = connection.clients_v6_0.get_token_admin_client()
# Get list of personal access tokens
tokens_response = token_admin_client.list_personal_access_tokens(user_descriptor)
print(tokens_response)
