Skip to content

Migrate dn-bot-dnceng-workitems-rw PAT to Managed Identity#6484

Open
missymessa wants to merge 3 commits intomainfrom
dev/copilot/migrate-dn-bot-dnceng-workitems-rw
Open

Migrate dn-bot-dnceng-workitems-rw PAT to Managed Identity#6484
missymessa wants to merge 3 commits intomainfrom
dev/copilot/migrate-dn-bot-dnceng-workitems-rw

Conversation

@missymessa
Copy link
Member

@missymessa missymessa commented Mar 25, 2026

DotNet.Status.Web uses dn-bot-dnceng-workitems-rw to read/write AzDO work items in the dnceng org. The AzureDevOpsClient already supports MI auth via ManagedIdentityClientId.

Changes

  1. settings.json: Remove AccessToken vault reference from AzureDevOps:dnceng section
  2. settings.Production.json: Add ManagedIdentityClientId for dotneteng-status system-assigned MI (18a50a03-5832-4fc4-9a77-08efb53631c9)
  3. settings.Staging.json: Add ManagedIdentityClientId for dotneteng-status-staging system-assigned MI (c6a4f831-a059-48bf-873d-4c9766ff6c26)
  4. dotneteng-status-secrets.yaml: Remove dn-bot-dnceng-workitems-rw secret definition

Infrastructure completed

  • Prod MI (dotneteng-status) enrolled in dnceng AzDO org with Stakeholder entitlement + [internal]\Contributors
  • Staging MI (dotneteng-status-staging) enrolled in dnceng AzDO org with Stakeholder entitlement + [internal]\Contributors

How it works

When ManagedIdentityClientId is set and AccessToken is empty, AzureDevOpsClient creates a ManagedIdentityCredential and uses bearer tokens for all AzDO API calls. The base settings.json still sets Organization and MaxParallelRequests; the environment overlays add the MI client ID.

Rollback

If issues arise, re-add "AccessToken": "[vault(dn-bot-dnceng-workitems-rw)]" to the AzureDevOps:dnceng section in settings.json and re-add the secret definition to the vault manifest.

Resolves AB#10113

@missymessa
Migrate dn-bot-dnceng-workitems-rw PAT to Managed Identity
3c9a1e3 
DotNet.Status.Web uses this PAT to read/write AzDO work items in the
dnceng org. The AzureDevOpsClient already supports MI auth.

Changes:
- settings.json: Remove AccessToken vault reference from AzureDevOps:dnceng
- settings.Production.json: Add ManagedIdentityClientId for dotneteng-status
- settings.Staging.json: Add ManagedIdentityClientId for dotneteng-status-staging
- dotneteng-status-secrets.yaml: Remove dn-bot-dnceng-workitems-rw secret def

The system-assigned MIs have been enrolled in the dnceng AzDO org
with Stakeholder entitlement and [internal]\Contributors group membership.
@missymessa missymessa mentioned this pull request Mar 26, 2026
Merged
garath
garath reviewed Mar 26, 2026
View reviewed changes
@missymessa
Use UseManagedIdentity flag for system-assigned MI support
9faf355 
Address review feedback: system-assigned identities should not pass a
client ID to ManagedIdentityCredential. Add a UseManagedIdentity boolean
to AzureDevOpsClientOptions that enables MI auth. When set without a
ManagedIdentityClientId, the client creates ManagedIdentityCredential()
(system-assigned). When a client ID is also provided, it creates
ManagedIdentityCredential(clientId) (user-assigned).

- Replace ManagedIdentityClientId with UseManagedIdentity: true in
  settings.Production.json and settings.Staging.json
- Update AzureDevOpsClient constructor to branch on the new flag
- Split bearer auth test into user-assigned and system-assigned cases
- Remove placeholder client IDs from post-deployment tests
@missymessa
Merge main: resolve conflict by removing both dead PAT entries
22e4287 
Both dn-bot-dnceng-workitems-rw (this PR) and
dn-bot-dnceng-build-rw-code-rw-release-rw (PR #6485) are removed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@garath garath garath left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@missymessa @garath