4

I want to add a SSH Public key to the Azure DevOps account running my yaml pipeline. According to this post: Azure DevOps API Add public key it has been possible at some point to upload the public key when authenticating with a PAT token.

I can access Azure DevOps Rest API from my pipeline and list repos etc via the Rest API, but I cannot figure out, how to build the body for the query for uploading the public SSH key. So far I have this:

$uri = 'https://dev.azure.com/{MyOrg}/_usersSettings/keys'
$Headers = @{Authorization='Basic <encoded PAT>';'content-type'='application/json'}
$Body = @{
    displayName = 'MyKey'
    publicData = 'My Public Key starting with ssh-rsa '
    scope = 'app_token'
    isPublic = $true
    } | ConvertTo-Json
Invoke-RestMethod -Uri $uri -Headers $Headers -Method POST -Body $body

The above command produces no error as such, just a long html.

Hints on how to upload the certificate to Azure DevOps by PowerShell or any other commandline option are very welcome.

UPDATE:

I tried extracting the Authentication Id off a post in the portal as described by Hugh Lin - MSFT: Portal upload of new SSH Public Key

Then I extracted the Authorization Id and added that to the payload of a new post. Before posting I also changed the displayName and the Public data, making the body look like this:

{
"contributionIds": ["ms.vss-token-web.personal-access-token-issue-session-token-provider"],
"dataProviderContext": {"properties": {
    "displayName": "AutoKey",
    "authorizationId": "48bef66f-798e-499b-94cc-720e48296bf7",
    "publicData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZA//Y+7vLd+P2F4WmIHpBPEMn/lPHPXrxHEJhhtnrNNZzgwIkWpgGQcuGQt2rmxEWYsSEV+CxTZcO7jig0yr8rsntUZJnCc86SVP22AfvE1rmRM/k+m6QRCBrSoHCAR+2ho/XoJ8iuZdvIV7qvV0Vk/N9rnf+KsJlK97RQWSc61rPl+7cUeXkBB8qsWOMeVxe9NhWH8DeWV+JG0nroTaZDrTq9BI5UDc7kqrRgwPCvqwT749C3k3cijxqEvK5bwWZ5NFaGj4CW8qRGXR5Sf6GJlQLgOrH+V2R7Ns5kLunD/Yy6RvSUiwokCyb3tDqBgB3W9lEtuxqcaYUwig0/GIF [email protected]",       
    "scope": "app_token",
    "targetAccounts": ["67ebc765-c850-4d22-b95f-1d3553xxxxxx"],
    "isPublic": true,
    "sourcePage": {
        "url": "https://dev.azure.com/cloudeonwest/_usersSettings/keys",
        "routeId": "ms.vss-admin-web.user-admin-hub-route",
        "routeValues": {
            "adminPivot": "keys",
            "controller": "ContributedPage",
            "action": "Execute",
            "serviceHost": "67ebc765-c850-4d22-b95f-1d3553bxxxxxx (Org)"
        }
    }
}}
}

Running the request resulted in the displayName being updated, but the publicData remained the same:

$answer.dataProviders.'ms.vss-token-web.personal-access-token-issue-session-token-provider'

clientId            : 00000000-0000-0000-0000-000000000000
accessId            : 52447de9-8c41-4d5b-bfdb-48b4eaxxxxxx
authorizationId     : 48bef66f-798e-499b-94cc-720e48296bf7
hostAuthorizationId : 00000000-0000-0000-0000-000000000000
userId              : 357d38ad-6712-69e1-adc3-be8caxxxxxx
validFrom           : 7/25/2020 3:26:51 PM
validTo             : 7/25/2025 3:26:51 PM
displayName         : AutoKey
scope               : app_token
targetAccounts      : {67ebc765-c850-4d22-b95f-1d3553xxxxxx}
token               :
alternateToken      :
isValid             : True
isPublic            : True
publicData          : BBBAB3NzaC1yc2EAAAADAQABAAABAQDZA//Y+7vLd+P2F4WmIHpBPEMn/lPHPXrxHEJhhtnrNNZzgwIkWpgGQcuGQt2rmxEWYsSEV+CxTZcO7jig0yr8rsntUZJnCc86SVP22AfvE1rmRM/k+m6QRCBrSoHCAR+2ho/XoJ8iuZdvIV7qvV0Vk/N9rnf+KsJlK97RQWSc61rPl+7cUeXkBB8qsWOMeVxe9NhWH8DeWV+JG0nroTaZDrTq9BI5UDc7kqrRgwPCvqwT749C3k3cijxqEvK5bwWZ5NFaGj4CW8qRGXR5Sf6GJlQLgOrH+V2R7Ns5kLunD/Yy6RvSUiwokCyb3tDqBgB3W9lEtuxqcaYUwig0/GIF
source              :
claims              :

And the portal was clearly updated as well: enter image description here

Improve this question
2
  • In the previous test, I only noticed that the name was successfully replaced, but did not notice whether the Key Data was replaced. After testing, I can reproduce your problem, and the Key Data cannot be replaced. So I think Azure Devops currently should not support using rest api to upload ssh key. Commented Jul 27, 2020 at 10:15
  • It will be more convenient to add the ssh key through the UI. I updated the answer and submitted a feature request for you. Sorry for wrong guiding . Commented Jul 27, 2020 at 10:19

1 Answer 1

Reset to default
1

I am afraid that currently azure devops does not support uploading ssh keys through rest api. The official document also does not provide a rest api that can realize this function. At present, we can only add public ssh key through the UI

Apart from the negative answer, I think what you want is a good idea! So I post a feature request here in DC forum. You could vote that suggestion ticket and share your comment there.The product team would provide the updates if they view it. Thank you for helping us build a better Azure DevOps.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks Hugh. I really want to upload a ssh key to the pipeline account, so it can authenticate with Terraform.We are heavy users of modules that are kept in separate repos in Azure DevOps. Unfortunately, source on the modules only support ssh. We need a licensed account just to have a ssh key for this.
The voting above is for visualstudio.com. Here are a query for "Azure DevOps", please upvote there!
I am afraid that 4 years later, it still is not supported. And on top of that, I am facing an issue where Web UI will just silently fail adding an SSH key. Vote for the feature request pls :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.