This will ask you a series of questions to configure the agent. Extracting in the download folder or other user folders may cause permission issues. Make sure that the path to the directory contains no spaces because tools and scripts don't always properly escape spaces. Unpack the agent into the directory of your choice. On the right pane, click the Download button.įollow the instructions on the page to download the agent. If you aren't sure which version of Windows is installed, follow these instructions to find out. The 圆4 agent version is intended for 64-bit Windows, whereas the x86 version is intended for 32-bit Windows. On the left pane, select the processor architecture of the installed Windows OS version on your machine. On the Get the agent dialog box, choose Windows. Select the Default pool, select the Agents tab, and choose New agent. Navigate to your project and choose Settings (gear icon) > Agent Queues. The agent will not use this person'sĬredentials in everyday operation, but they're required to complete registration. Decide which user you'll useĪs a one-time step, you must register the agent. Administrators may need to investigate the file system to understand build failures or get log files to be able to report Azure DevOps failures. It makes sense to grant access to the agent folder only for DevOps administrators and the user identity running the agent process. Therefore, it is safer to carefully consider access granted to the agent machine itself, and the agent folders which contain sensitive files, such as logs and artifacts. The user generating the credentials (and other agent-related files) is different than the user that needs to read them. It is a best practice to have the identity running the agent be different from the identity with permissions to connect the agent to the pool. Therefore, it is important to consider the threat model surrounding each individual usage of Pipelines Agents to perform work, and decide what are the minimum permissions could be granted to the user running the agent, to the machine where the agent runs, to the users who have write access to the Pipeline definition, the git repos where the yaml is stored, or the group of users who control access to the pool for new pipelines. It inherently could be a target for Remote Code Execution (RCE) attacks. The Azure Pipelines agent is a software product designed to execute code it downloads from external sources. The folders controlled by the agent should be restricted to as few users as possible and they contain secrets that could be decrypted or exfiltrated. The user configuring the agent needs pool admin permissions, but the user running the agent does not. Prepare permissions Information security for self-hosted agents On the other hand, the bulk of the Azure DevOps code is built by 24-core server class machines It's not possible to make a general recommendation that will apply to everyone.Īs a point of reference, the Azure DevOps team builds the hosted agents code using pipelines that utilize hosted agents. The hardware specs for your agents will vary with your needs, team size, etc. You should run agent setup manually the first time.Īfter you get a feel for how agents work, or if you want to automate setting up many agents, consider using unattended config.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |