Use PAT Lifecyle Management APIs to generate dynamic/ephemeral PAT token for provider

[robertscully-wpp]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I have been making use of Federated Credentials for app registration to create dynamic tokens for Terraform executions using the Azure provider.

I would like to make use of the features of the PAT lifecycle API, as documented here, to generate an ephemeral PAT for managing Azure Devops using an Entra App Registration.

In this scenario, when an App Registration is configured to have Azure Devops API access with the user_impersonisation delegated permission, is it possible to use the same OIDC mechanism that the Azure provider uses to:

1. authenticate to Entra
2. generate an ephemeral token for the app registration
3. use this to generate the ephemeral PAT using the AzureDevops PAT lifecycle management API?
4. use the ephemeral PAT for the azuredevops provider

New or Affected Resource(s)

Potential Terraform Configuration

References

[jubr]

@robertscully-wpp you might not have to given #747 is released in v1.0.0

Also, a workaround was mentioned in the comments at #747 (comment)

[robertscully-wpp]

@jubr thanks for the feedback on here, will have a read through the comments and release notes.