Created
June 22, 2023 08:08
-
-
Save JohnLBevan/1f8682066673eeae4a2699678582d341 to your computer and use it in GitHub Desktop.
Renew ARM service connection secrets for Azure DevOps / convert them to manual. Note: once they're amended to be manual, you can manage secrets via the UI going forwards. This script is based on the initial script and info from https://rlevchenko.com/2022/03/04/azure-devops-update-service-connection-expired-secret/; thanks rlevchenko for this.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function Repair-AzureDevOpsConnection { | |
[CmdletBinding()] | |
Param ( | |
[Parameter(Mandatory)] | |
[string]$AzureDevOpsPAT # bad practice to pass secrests as strings, but this is a quick and dirty | |
, | |
[Parameter(Mandatory)] | |
[string]$Org | |
, | |
[Parameter(Mandatory)] | |
[string]$Project | |
, | |
[Parameter(Mandatory)] | |
[string]$ConnectionResourceId | |
, | |
[Parameter(Mandatory)] | |
[string]$NewClientSecret # bad practice to pass secrests as strings, but this is a quick and dirty | |
) | |
$header = @{Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(":$($AzureDevOpsPAT)")) } # note: we could instead use `invoke-restmethod -Authentication Basic -Credential $cred` if users are on PWSH | |
$connection = Invoke-RestMethod -Method GET -URI "https://dev.azure.com/$($Org)/$($Project)/_apis/serviceendpoint/endpoints/$($ConnectionResourceId)?api-version=6.0-preview.4" -Headers $header -ContentType "application/json" | |
if ($null -eq $connection) { | |
throw 'Nothing returned by GET request' | |
} | |
Write-Verbose "CreationMode was [$($connection.data.creationMode)]; setting to [Manual]" | |
$connection.data.creationMode = 'Manual' | |
Write-Verbose "SpnObjectId was [$($connection.data.spnObjectId)]; removing" | |
$connection.data.psobject.properties.remove('spnObjectId') | |
Write-Verbose "AppObjectId was [$($connection.data.appObjectId)]; removing" | |
$connection.data.psobject.properties.remove('appObjectId') | |
Write-Verbose "Updating ServicePrincipalKey (values not shown for security)" | |
$connection.authorization.parameters.serviceprincipalkey = $NewClientSecret | |
Invoke-RestMethod -Method PUT -URI "https://dev.azure.com/$($Org)/$($Project)/_apis/serviceendpoint/endpoints/$($ConnectionResourceId)?api-version=6.0-preview.4" -Headers $header -ContentType "application/json" -Body ($connection | ConvertTo-Json -Depth 10) | |
} | |
Repair-AzureDevOpsConnection ` | |
-AzureDevOpsPAT <insert your PAT token, as generated at https://dev.azure.com/<Org>/_usersSettings/tokens> ` | |
-Org <Your Azure DevOps Org (same as Org used in the PAT URI above)> ` | |
-Project <The project under which the service connections are configured> ` | |
-ConnectionResourceId <the resource id from the uri when you select the relevant service connector from https://dev.azure.com/cci-smartbike/smartbikev3/_settings/adminservices> ` | |
-NewClientSecret <the client secret value generated for your service connector's service principal; i.e. navigate to the service principal in AAD, delete the expired secret, create a new one, then paste that here> ` | |
-Verbose |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment