Support Azure Devops OAuth via Service Principal to checkout Git repositories
Thomas Abbe
meshStack currently integrates with Azure DevOps in two ways:
- Checking out Git repositories for Building Block Definitions — currently only via SSH keys
- Triggering Azure DevOps Pipelines from Building Blocks — currently only via Personal Access Tokens (PATs)
Both approaches share the same fundamental problem: they rely on legacy, user-bound credentials that are painful to manage:
- Tied to individual Entra ID user accounts
- Require manual secret/key rotation (often enforced annually by org policy)
- PATs expire and must be re-issued manually
- SSH key management is complex and not fully automatable
Requested Feature
Add support for Service Principal authentication with Workload Identity Federation (WIF) as the authentication method for both Azure DevOps integrations in meshStack:
- Git repository checkout — authenticate to Azure DevOps Git repos using a Service Principal (via Entra ID / WIF), replacing SSH keys
- Pipeline triggers — authenticate to the Azure DevOps REST API to trigger pipelines using a Service Principal (via WIF), replacing PATs
This aligns with Microsoft's own recommendation for Azure DevOps integrations:
And leverages the same Workload Identity Federation mechanism meshStack already supports for Azure platform integrations — enabling a consistent, secretless, keyless authentication story across all Azure DevOps touchpoints.
Benefits
- No secrets or SSH keys to rotate
- Service principal-scoped permissions (no user account dependency)
- Fully automatable — no manual credential management
- Consistent with modern Azure security best practices
Jelle den Burger
Just a meta note but I have rewritten this feature request to cover both Git repo checkouts & Azure Pipelines.
F
Fabian
Jelle den Burger thank you! do you have a rough estimate on when you will tackle this?
Jelle den Burger
Fabian Hey Fabian, I don't see this happening within the next 3~ month at least.
Are you more interested in the Git repo part or the Pipelines part?
F
Fabian
isnt this the same thing? the only one who still needs ssh keys for git checkout is the opentofu building block type i think?
other building block types like azure devops pipeline can reuse the azure devops integration.
so what would need to happen is:
integrate azure devops integration in opentofu
make azure devops integration federated auth based and you killed two birds with one stone?
Jelle den Burger
Fabian: Yes you are right that they are very closely related but they're also not exactly the same thing, at least not from our end.
I was curious which one is the most painful for you then we know which one to optimize for :-)
Jelle den Burger
This is a great idea that will enhance security a lot for Azure DevOps usage. Unfortunately this is not in focus right now as we are mainly investing into usage of GitHub & GitLab. Authentication will have to happen via SSH for the time being.
Jelle den Burger
Thanks a lot for your feature request, Thomas! We are actively on the lookout for better and easier ways to trigger Building Blocks via Git and Git providers like Azure DevOps. We will take your feedback into account when we build the next iteration of these Building Block triggers
Thomas Abbe
Jelle den Burger Hi Jelle, thank you for the feedback. Just to be sure, the feature request was intended to make the building block configuration easier. From our side, we are not using triggers via Git.