运行 不使用 PAT 的 VSTS 构建代理
Running a VSTS build agent without using a PAT
我正在为 VSTS 配置 private/onprem Windows 构建代理 (vNext)。我需要使用 PAT,但从长远来看这似乎不太好,因为我可以将其设置的最长期限是 1 年 - 因此在几年内它会损坏并需要更新。是否有更多 'permanent' 解决方案或者这是唯一的选择?文档建议 PAT 仅适用于 VSTS。
提前致谢!
您需要使用 PAT。
由于大多数组织需要比每年更频繁地更改所有帐户的密码,因此这成为一个大问题的可能性几乎为零。
注意:PST 仅用于验证并从用于 coms 的服务器获取机密。配置代理后,请随意使 PAT 过期。
根据本文 (Deploy an agent on Windows),您需要为团队服务选择 PAT(步骤 9)
一位同事在常见问题解答中找到了答案:
https://www.visualstudio.com/en-gb/docs/build/admin/agents/v2-windows
How does the agent authenticate and communicate with the TFS AT?
The agent pool administrator role is needed only when you register an agent. At that time, the agent downloads an OAUth token so that it can listen to the queue. The account that you use in this role has no bearing on future communication between the agent and the TFS AT.
When a build is run, it generates an OAuth token for the scoped identity selected on the general tab of the build definition. That token is short lived and is used to access resources on the application tier.
Most importantly "The account that you use in this role has no bearing on future communication between the agent and the TFS AT."
我正在为 VSTS 配置 private/onprem Windows 构建代理 (vNext)。我需要使用 PAT,但从长远来看这似乎不太好,因为我可以将其设置的最长期限是 1 年 - 因此在几年内它会损坏并需要更新。是否有更多 'permanent' 解决方案或者这是唯一的选择?文档建议 PAT 仅适用于 VSTS。
提前致谢!
您需要使用 PAT。
由于大多数组织需要比每年更频繁地更改所有帐户的密码,因此这成为一个大问题的可能性几乎为零。
注意:PST 仅用于验证并从用于 coms 的服务器获取机密。配置代理后,请随意使 PAT 过期。
根据本文 (Deploy an agent on Windows),您需要为团队服务选择 PAT(步骤 9)
一位同事在常见问题解答中找到了答案: https://www.visualstudio.com/en-gb/docs/build/admin/agents/v2-windows
How does the agent authenticate and communicate with the TFS AT?
The agent pool administrator role is needed only when you register an agent. At that time, the agent downloads an OAUth token so that it can listen to the queue. The account that you use in this role has no bearing on future communication between the agent and the TFS AT.
When a build is run, it generates an OAuth token for the scoped identity selected on the general tab of the build definition. That token is short lived and is used to access resources on the application tier.
Most importantly "The account that you use in this role has no bearing on future communication between the agent and the TFS AT."