I am following this question Are TFS Build Agent User Capabilities' Values Obtainable Within Build Steps? , specifically Seva's answer, with direct REST API requests:
$tfsUrl = $env:SYSTEM_TEAMFOUNDATIONCOLLECTIONURI
$token = $env:SYSTEM_ACCESSTOKEN
$authExpr = "whatever:$token"
$bytes = [System.Text.Encoding]::UTF8.GetBytes($authExpr)
$base64 = [System.Convert]::ToBase64String($bytes)
$headers = @{"Authorization" = "Basic $base64"}
$poolUrl = "${tfsUrl}_apis/distributedtask/pools/"
$response = Invoke-RestMethod $poolUrl -Headers $headers
if ($response.count -eq 0)
{
throw "No pools are accessible. No permissions?"
}
When run with my personal access token, this code returns an array of pools, in JSON. However, when run on a build agent as a build step using the agent-provided $env:SYSTEM_ACCESSTOKEN, the response.count is zero and there are no pools returned.
Now, the answer linked above suggests that this is to be expected, and I need to grant permissions to the special user identity that the agent uses to communicate with TFS. Using the ${tfsUrl}_api/_common/GetUserProfile REST endpoint (from the agent) I confirmed that this user is indeed named "Project Collection Build Service (ProjectCollectionName)", with ProjectCollectionName part being specific to a TFS instance.
So I go to configuration, Agent Queues, select my queue, Roles, Add, type until "Project Collection Build Service (ProjectCollectionName)" is visible, click it, check that Role is Reader, press Add. And the result is Sorry, we couldn't add the Identity. Please try a different Identity.. Same error if I go to Manage pools.
While I can use explicit authentication with username/password or a personal access token, I would really prefer to use the agent's authentication, because unlike stored credentials it's always supposed to work - you know, passwords change, tokens expire, likely at the least convenient moment.
So, is it possible?
Edit: this happens with TFS 2018 update 3