RazorSPoint

What happens to my agent, when the PAT token on VSTS expires?

Sebastian SchützeSebastian Schütze

The short answer is: Nothing. It just works!

Whaaat?

To go back a bit further. I just found an interesting post on the MSDN forums, which asks why the agent still works, even when the PAT token from VSTS is already expired or has been revoked.

The answer is simple and makes a lot of sense. Because of security reasons, they don’t want to save the token on the agent. The PAT token is only used for registering the agent on the agent pool on your TFS or VSTS. After that the token is not used anymore.

https://social.msdn.microsoft.com/Forums/en-US/431f9a06-db69-49d4-8bc0-3bff9911f959/vsts-private-agent-authentication-with-pat-personal-access-tokens

To quote the original answer from the Microsoft Employee

“That’s normal and desired. For security reasons, we don’t want to persist your PAT on the agent machines. The PAT is only used to register the agent. Upon registering we generate a JWT token specifically for that agent which only has permissions to listen to the queue. That JWT token is encrypted / stored securely and has limited rights. The build machine uses that JWT token to listen to the queue. When the server runs a build, it generates another time bombed (life of the build) token which allows the build machine to get sources and write back to VSTS / TFS. The token represents to a collection or project level service account (see options tab on definition). That token is never persisted and only held by the agent and available to tasks. There is also an option to expose that token to ad-hoc scripts (ps1, cmd, sh). If you use agent config.cmd remove, that’s why it will prompt you for the PAT again. Because we didn’t store it. That’s the one down side. But, you can always remove the agent from the web UI and wack the agent folder if you’ve revoked the PAT.”

— Bryan MacFarlane (Microsoft)

And this should also tell you, that you only you need to worry about a valid PAT token, is when you configure your agent with the given config script. In this case every time!

 

Sebastian is an Azure Nerd with focus on DevOps and Azure DevOps (formerly VSTS) that converted from the big world of SharePoint and O365. He was working with O365 since 2013 and loved it ever since. As his focus shifted in 2017 to more DevOps related topics in the Microsoft Stack. He learned to love the possibilities of automation. Besides writing articles in his blog and German magazines, he is still contributing to the SharePoint Developer Community (and PnP SharePoint) to help to make the ALM part a smoother place to live in.

Comments 0
There are currently no comments.

This site uses Akismet to reduce spam. Learn how your comment data is processed.