Skip to content

PAT Migration: dn-bot-dnceng-public-build-r (telemetry)#6489

Open
missymessa wants to merge 4 commits intomainfrom
missymessa-10138
Open

PAT Migration: dn-bot-dnceng-public-build-r (telemetry)#6489
missymessa wants to merge 4 commits intomainfrom
missymessa-10138

Conversation

@missymessa
Copy link
Copy Markdown
Member

@missymessa missymessa commented Mar 31, 2026

Work Item

AB#10138 — PAT Migration: dn-bot-dnceng-public-build-r

Summary

Migrates the \dn-bot-dnceng-public-build-r\ PAT to Entra bearer tokens using the same telemetry-service-identity Managed Identity already deployed for AB#10137 (dnceng org).

Code Changes (4 modified + 1 updated)

Configuration:

  • settings.json — Removed \AccessToken\ vault reference from \dnceng-public\ settings (MI will be used instead)
  • settings.Staging.json — Added \AzureDevOpsSettings.dnceng-public.ManagedIdentityClientId\ = \c05abe9e-b183-4c19-a7c3-6512f976548f\
  • settings.Production.json — Added \AzureDevOpsSettings.dnceng-public.ManagedIdentityClientId\ = \13eb78dc-2e79-4ae1-afbf-f95c5b1d2a4c\

Secret Manager:

  • telemetry-secrets.yaml — Deprecated \dn-bot-dnceng-public-build-r\ (changed to \ ype: text\ with deprecation notice)

Tests:

  • TelemetryManagedIdentityTests.cs — Added \ManagedIdentity_CanListBuilds_FromDncengPublic\ post-deployment test

Azure Resources Provisioned (out-of-repo)

Azure DevOps Organization Access (\dnceng-public):

MI AzDO Descriptor Group
Prod \�adsp.MWU5YjE1ZWMtYjI5Ni03ZDI5LTk4OTktMzA1ZDA2OGFlNTU0\ [public] Readers
Int \�adsp.ODkwMGUzYjktZTE1YS03NGVlLTlhNzAtMTY1YmQwOTFkMDI3\ [public] Readers

Both MIs were added as service principals in the \dnceng-public\ Azure DevOps organization and granted Readers scope on the \public\ project.

Post-Merge Cleanup

After validating the MI works in production:

  1. Delete the deprecated \dn-bot-dnceng-public-build-r\ entry from \ elemetry-secrets.yaml\
  2. Remove the corresponding PAT secrets from Key Vaults (\TelemetryServiceStaging, \TelemetryServiceLocal, \TelemetryServiceProd)
  3. Revoke the \dn-bot-dnceng-public-build-r\ PAT from the \dn-bot\ Azure DevOps account

@missymessa
PAT Migration: dn-bot-dnceng-build-r (telemetry)
ccd03a1
@missymessa
Merge branch 'main' of https://github.com/dotnet/dnceng
17cb36a
@missymessa
PAT Migration: dn-bot-dnceng-public-build-r (telemetry) AB#10138
60997b5 
Migrate dnceng-public build-read PAT to the same telemetry-service-identity
Managed Identity already used for dnceng (AB#10137).

Changes:
- settings.json: Remove AccessToken reference for dnceng-public
- settings.Staging.json: Add ManagedIdentityClientId for dnceng-public
- settings.Production.json: Add ManagedIdentityClientId for dnceng-public
- telemetry-secrets.yaml: Deprecate dn-bot-dnceng-public-build-r
- TelemetryManagedIdentityTests: Add dnceng-public/public post-deployment test

Infrastructure (out-of-repo):
- Added telemetry-service-identity MIs as service principals in dnceng-public org
- Granted [public] Readers access to both prod and int MIs
@missymessa
Resolve merge conflict in telemetry-secrets.yaml
64ecf7c 
Main had the dn-bot-dnceng-build-r entry removed (PR #6488), which shifted
lines and conflicted with our deprecation comment block for
dn-bot-dnceng-public-build-r. Keep our deprecation as intended.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@missymessa