Skip to content

[BUG]: config.sh remove can only access base URL for agent removal #5234

New issue
New issue
Open
Open
[BUG]: config.sh remove can only access base URL for agent removal#5234
Labels
Area: Agentbugtriage
@DavidLBoyd1986

Description

@DavidLBoyd1986
DavidLBoyd1986
opened on Jun 3, 2025

What happened?

This issue was discussed here: #3308

However, no solution was found. Below is an explanation of the issue, and possible solutions:

My PAT was scoped to an Organization. So, when I created the agent, I had to include that Organization in the URL, just the base URL would NOT work.

Here is an example of the config.sh command I ran to install the agent:

./config.sh --unattended
--url https://ado-server/Organization
--auth pat
--token xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--pool linux-agent-pool
--agent linux-agent-name
--acceptTeeEula
--work _work

NOTE: Only using '--url https://ado-server/' did NOT work. I got an unauthorized error due to my PAT being scoped to an Organization.

When I tried to remove the agent with the command below. It always tried to remove it from 'https://ado-server/' and never included the Organization, which caused the same unauthorized error I got when trying to install the agent with: 'https://ado-server/'

./config.sh remove --unattended
--auth pat
--token xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Possible Solutions:

The only solution I could get to work, was what was explained on: #3308

Changing the PAT 'Organization' scope to 'All accessible organizations'.

What I would expect as a solution, would be one of the below:

The URL passed when the agent was configured with 'config.sh' is saved, and that same URL, with the Organization '--url https://ado-server/' is used when 'config.sh remove' is ran. This would prevent 'config.sh remove' from accessing 'https://ado-server/' which the PAT can't access.

Add '--url' as an available parameter to 'config.sh remove' so the user can specify the Organization they are removing the Agent from: --url https://ado-server/Organization'.

Either of the above would allow Users to remove agents without requiring them to change the PAT 'Organization' scope to 'All accessible organizations'.

Final NOTE:

As it is now. You can only remove an agent if the PAT 'Organization' is set to 'All accessible organizations' because 'config.sh remove' always connects to the base url 'https://ado-server/.' If the PAT scope for 'Organization' is NOT set to 'All accessible organizations' then that PAT will never be able to access the base url 'https://ado-server/' and so 'config.sh remove' will never work.

Versions

Azure DevOps version 4.255.0 / RHEL 9.6

Environment type (Please select at least one enviroment where you face this issue)

  • Self-Hosted
  • Microsoft Hosted
  • VMSS Pool
  • Container

Azure DevOps Server type

Azure DevOps Server (Please specify exact version in the textbox below)

Azure DevOps Server Version (if applicable)

Azure DevOps Server 2022

Operation system

Windows Server 2022 Datacenter

Version controll system

No response

Relevant log output

Metadata
Metadata
Assignees
No one assigned
    Labels
    Area: Agentbugtriage
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions