Azure DevOps CLI service endpoint

Azure DevOps Services

With the az devops service-endpoint command, you can create and manage different types of service connections. A service connection allows Azure DevOps to communicate with an external service, such as Azure, Bitbucket, Kubernetes, Maven, GitHub, and more. With az devops service-endpoint, you can perform the following tasks:

  • Create a service endpoint using a configuration file
  • Update a service endpoint
  • Manage GitHub service endpoints/connections
  • Manage Azure Resource Manager service endpoints/connections
  • List service endpoints defined for a project
  • Get the details of a service endpoint.

For detail command syntax, see az devops service-endpoint. For syntax on the REST API for service endpoints, see Endpoints.

You can also use azure cli commands to get details, list, delete, and update a service endpoint. See Index to Azure DevOps CLI examples, Service endpoints or service connections.

To use the web portal to create and edit service connections, see Manage service connections.

Tip

The examples in this article use service principals in lieu of basic authentication as a more secure method for authentication. For more information, see Use service principals & managed identities in Azure DevOps.

Create service endpoint using a configuration file

To create a service endpoint using a configuration file, you must first define the configuration file. The contents of the configuration file differ depending on the type of connection, such as Azure Classic, Azure Data Explorer, Bitbucket Cloud, Chef, and more.

Configuration file format

The following syntax shows the json format for the configuration file.

{
  "data": {},
  "name": "MyNewServiceEndpoint",
  "type": "AzureRM",
  "url": "https://management.azure.com/",
  "authorization": {
    "parameters": {
      "tenantid": "your-tenant-id"
    },
    "scheme": "ManagedServiceIdentity"
  },
  "isShared": false,
  "isReady": true,
  "serviceEndpointProjectReferences": [
    {
      "projectReference": {
        "id": "c7e5f0b3-71fa-4429-9fb3-3321963a7c06",
        "name": "TestProject"
      },
      "name": "MyNewServiceEndpoint"
    }
  ]
}

The following table describes each parameter. The type parameter supports creation of any type of service endpoint.

Parameter Type Description
name string Sets the friendly name of the endpoint.
type string Sets the type of the endpoint.
url string Sets the url of the endpoint.
authorization EndpointAuthorization Sets the authorization data for talking to the endpoint.
isShared boolean Indicates whether the service endpoint is shared with other projects or not.
isReady boolean EndPoint state indicator.
serviceEndpointProjectReferences Project Reference Sets project reference of the service endpoint.

For a list of supported types and their required input parameters, you can exercise the following REST API entry:

https://dev.azure.com/{organization}/_apis/serviceendpoint/types?api-version=6.0-preview.1

Also, for a description of service connection types and other parameters that they may require, see Manage service connections, Common service connection types.

Run the create command

You create a service endpoint with the az devops service-endpoint create command.

az devops service-endpoint create --service-endpoint-configuration 
                                  [--encoding {ascii, utf-16be, utf-16le, utf-8}]
                                  [--org]
                                  [--project]

Parameters

  • service-endpoint-configuration: Required. Name of the json configuration file with service endpoint configuration.
  • encoding: Optional. Encoding of the input file. Default is utf-8. Accepted values: ascii, utf-16be, utf-16le, utf-8.
  • org: Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL. Required if not configured as default.
  • project: Name or ID of the project. You can configure the default project using az devops configure -d project=NAME_OR_ID. Required if not configured as default.

Example

The following command creates a service connection referencing the ServiceConnectionGeneric.json file.

az devops service-endpoint create --service-endpoint-configuration ./ServiceConnectionGeneric.json

Upon successful creation, an Id is assigned to the service endpoint and a response similar to the following syntax is returned.

{
  "administratorsGroup": null,
  "authorization": {
    "parameters": {
      "serviceprincipalid": "your-service-principal-id",
      "serviceprincipalkey": "your-service-principal-key",
      "tenantid": "your-tenant-id"
    },
    "scheme": "ServicePrincipal"
  },
  "createdBy": {
    "descriptor": "aad.OGYxZTFlODEtMGJiNC03N2ZkLThkYzUtYjE3MTNiNTQ2MjQ4",
    "directoryAlias": null,
    "displayName": "Jamal Hartnett",
    "id": "60c83423-4eb6-4c5e-8395-1e71cb4aef4c",
    "imageUrl": "https://dev.azure.com/fabrikam/_apis/GraphProfile/MemberAvatars/aad.OGYxZTFlODEtMGJiNC03N2ZkLThkYzUtYjE3MTNiNTQ2MjQ4",
    "inactive": null,
    "isAadIdentity": null,
    "isContainer": null,
    "isDeletedInOrigin": null,
    "profileUrl": null,
    "uniqueName": "fabrikamfiber4@hotmail.com",
    "url": "https://spsprodwcus0.vssps.visualstudio.com/A0214b8cc-a36c-4b93-abbf-6348473c2f0a/_apis/Identities/60c83423-4eb6-4c5e-8395-1e71cb4aef4c"
  },
  "data": {},
  "description": null,
  "groupScopeId": null,
  "id": "3b6890ef-54b3-47ec-a907-a5d2f96237da",
  "isReady": true,
  "isShared": false,
  "name": "MyNewServiceEndpoint",
  "operationStatus": null,
  "owner": "library",
  "readersGroup": null,
  "serviceEndpointProjectReferences": [
    {
      "name": "MyNewServiceEndpoint",
      "projectReference": {
        "id": "677da0fb-b067-4f77-b89b-f32c12bb8617",
        "name": null
      }
    }
  ],
  "type": "Generic",
  "url": "https://myserver"
}

Create a GitHub service endpoint

To create a GitHub service endpoint, use the az devops service-endpoint github create command:

az devops service-endpoint github create --github-url
                                         --name 
                                         [--org]
                                         [--project]

In interactive mode, the az devops service-endpoint github create command asks for a GitHub PAT token using a prompt message, for automation purpose set the GitHub PAT token using the AZURE_DEVOPS_EXT_GITHUB_PAT environment variable. For more information, see Sign in with a personal access token (PAT).

Create an Azure Resource Manager service endpoint

To create an Azure Resource Manager service endpoint, use the az devops service-endpoint azurerm create command.

az devops service-endpoint azurerm create --azure-rm-service-principal-id
                                          --azure-rm-subscription-id
                                          --azure-rm-subscription-name
                                          --azure-rm-tenant-id
                                          --name
                                          [--azure-rm-service-principal-certificate-path] 
                                          [--org]
                                          [--project]

Use a client secret

In interactive mode, the az devops service-endpoint azurerm create command asks for a service principal secret using a prompt message. For automation purposes, set the service principal secret using the AZURE_DEVOPS_EXT_AZURE_RM_SERVICE_PRINCIPAL_KEY environment variable.

export AZURE_DEVOPS_EXT_AZURE_RM_SERVICE_PRINCIPAL_KEY=<your_secret_here>
$env:AZURE_DEVOPS_EXT_AZURE_RM_SERVICE_PRINCIPAL_KEY=<your_secret_here>

Use a client certificate

If the Microsoft Entra application uses certificate for authentication, then create a .pem file for the certificate and pass the path to the .pem file using the --azure-rm-service-principal-certificate-path argument.

You can create a .pem file using openssl:

openssl pkcs12 -in file.pfx -out file.pem -nodes -secret pass:<secret_here>