It is a best practice to have the identity running the agent be different from the identity with permissions to connect the agent to the pool. Therefore, it is important to consider the threat model surrounding each individual usage of Pipelines Agents to perform work, and decide what are the minimum permissions could be granted to the user running the agent, to the machine where the agent runs, to the users who have write access to the Pipeline definition, the git repos where the yaml is stored, or the group of users who control access to the pool for new pipelines. It inherently could be a target for Remote Code Execution (RCE) attacks. The Azure Pipelines agent is a software product designed to execute code it downloads from external sources. The folders controlled by the agent should be restricted to as few users as possible and they contain secrets that could be decrypted or exfiltrated. ![]() The user configuring the agent needs pool admin permissions, but the user running the agent does not. Information security for self-hosted agents You should run agent setup manually the first time.Īfter you get a feel for how agents work, or if you want to automate setting up many agents, consider using unattended config. If you're building from a Subversion repo, you must install the Subversion client on the machine. ![]() TFVC - If you're building from a TFVC repo, see TFVC prerequisites.Git - Git 2.9.0 or higher (latest version recommended - you can easily install with Homebrew).Note: Not all Azure Pipelines tasks have been updated to support ARM64 yet. ![]() But if you'd like some more background about what they do and how they work, see Azure Pipelines agents. If you already know what an agent is and how it works, feel free to jump right in to the following sections. If you're using Azure DevOps Services and a Microsoft-hosted agent meets your needs, you can skip setting up a self-hosted macOS agent. This article describes how to configure a self-hosted agent.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |