07-31-2025 08:39 AM
At the moment I install python packages from our Azure DevOps feed with a PAT token as authentication mechanism. This works well, but I want to use a service principal instead of the PAT token.
The cluster is able to read the secret from the keyvault
The index URL is set to the correct feed
But I'm not able to install a package from the Azure DevOps feed
For the PAT token setup I'm using exactly the same configuration and that works fine.
Is what I'm trying to do not possible, or am I missing something?
Regards,
Marco
08-04-2025 07:34 AM - edited 08-04-2025 07:43 AM
Hi @Marco37 ,
Yep, probably this is firewall issue. I've recreated your scenario and I can confirm that approach I've described above will work. So, I created Service Principal and I assigned him Feed Reader permisson. Then I obtained access token using client credential flow and I used that token in following way.
TOKEN = YOUR_TOKEN
ORGANIZATION = YOUR_ORGANIZATION
PROJECT = YOUR_PROJECT
%pip install azure.identity --index-url "https://{TOKEN}@{ORGANIZATION}.pkgs.visualstudio.com/{PROJECT}/_packaging/MyTestFeed/pypi/simple/"
07-31-2025 12:46 PM - edited 07-31-2025 12:47 PM
Hi @Marco37 ,
Did you follow some guideline or documentation when you were trying to configure it?
At first glance it looks incorrect. In following line you're trying to use service principal as a token? If so it definitely won't work.
pip config set global.index-url https://${AZ_DEVOPS_FEED_NAME}:${AZ_DEVOPS_TOKEN}@pkgs.dev.azure.com/${AZ_DEVOPS_ORG_NAME}/${AZ_DEVOPS_PROJECT_NAME}/_packaging/${AZ_DEVOPS_FEED_NAME}/pypi/simple name>}}
You can't simply substitute a service principal secret for a PAT token in the URL because they use different authentication flows.
Service principals require OAuth2 flow to obtain access token.
07-31-2025 01:18 PM
I have searched a lot for documentation, but is mostly ends with people falling back to the PAT tokens or it just ends with nothing or they are about connecting from Azure DevOps to Databricks (the opposite direction).
Do you have some documentation about using OAuth2, so that I can accomplish my goal?
Kind Regards,
Marco
08-01-2025 12:52 AM
Hi @Marco37 ,
So you need to use client-credential flow to obtain access token. Once you get token, that should work as the password with an arbitrary username, in the same way as PAT would.
Here's how you can obtain access token for service principal using API call:
Alternatively, you can use artifacts-keyring approach. According to below threads they added support Managed Identity and Service Principal (but I think for SP they only support authentication with certificate)
Connect your Python project to an Azure Artifacts feed - Azure Artifacts | Microsoft Learn
08-01-2025 06:37 AM
Thank a lot szymon_dybczak,
I did try artifacts-keyring last week, but without success. I'm going to try the API call this coming week and will let you know the results
Kind Regards,
Marco
08-04-2025 05:26 AM
I am able to retrieve the access token of my service principal (eyJ0eXAiOiJK....etc.), but I do not know how to use it in my pip config statement. I have tried to replace the value of the variable ${AZ_DEVOPS_TOKEN}, but that doesn't work.
Kind Regards,
Marco
08-04-2025 05:38 AM
Hi @Marco37 ,
According to github thread you can use that access token in following way (just replace your values). Let me know if that works. If you still encounter issues I can try to recreate this scenario in my environment:
TOKEN= your_token
pip install <package> --index-url "https://$TOKEN@<Organization>.pkgs.visualstudio.com/<Project>/_packaging/<Feed>/pypi/simple/"
08-04-2025 06:25 AM - edited 08-04-2025 06:36 AM
08-04-2025 07:34 AM - edited 08-04-2025 07:43 AM
Hi @Marco37 ,
Yep, probably this is firewall issue. I've recreated your scenario and I can confirm that approach I've described above will work. So, I created Service Principal and I assigned him Feed Reader permisson. Then I obtained access token using client credential flow and I used that token in following way.
TOKEN = YOUR_TOKEN
ORGANIZATION = YOUR_ORGANIZATION
PROJECT = YOUR_PROJECT
%pip install azure.identity --index-url "https://{TOKEN}@{ORGANIZATION}.pkgs.visualstudio.com/{PROJECT}/_packaging/MyTestFeed/pypi/simple/"
08-04-2025 07:45 AM
I've just noticed that you could also make mistake when constructing your url. You're using ${AZ_DEVOPS_ORG_NAME}, but this is not an f-sting. Try the same approach as mine.
TOKEN = YOUR_TOKEN
ORGANIZATION = YOUR_OGRANIZATION
PROJECT = YOUR_PROJECT
%pip install azure.identity --index-url "https://{TOKEN}@{ORGANIZATION}.pkgs.visualstudio.com/{PROJECT}/_packaging/MyTestFeed/pypi/simple/"
08-06-2025 02:43 AM
Hi szymon_dybczak,
I have also tried it in my personal Azure subscription, so that I'm sure that all traffic is allowed, but I still can't get it to work
TOKEN = "eyJ0eXAiOiJKV1QiLCJub25jZSI6InVnSVJ0a1pyLWdi................."
ORGANIZATION = "mhofman37"
PROJECT = "6121f0ba-31c2-407b-80e0-ccd1a57ce8e4"
%pip install adal --index-url "https://{TOKEN}@{ORGANIZATION}.pkgs.visualstudio.com/{PROJECT}/_packaging/test/pypi/simple/"
The service principal has permissions on the feed
Kind Regards,
Marco
08-06-2025 02:46 AM
Hi @Marco37 ,
When you tried again, did you regenerated access token? They are short-lived, so you need to acquire new one. It should work, I've verified it on my environment and I had no issue with authentication using service principal
08-06-2025 05:11 AM
Hi szymon_dybczak,
Yes, I have generated a new token each time, because they are only valid for one hour. Tomorrow I will discuss it with my colleagues. I must be overlooking something, because it does work in your environment.
I will let you know when I figure it out.
Thanks a lot for your help,
Marco
Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!
Sign Up Now