Running a VSTS build agent without using a PAT

Question

I'm configuring a private/onprem Windows build agent (vNext) for VSTS. I need to use a PAT, but this doesn't seem great long term as the longest I can set it for is 1 year - thus in a years time it will break and require updating. Is there a more 'permanent' solution or is this the only option? The documentation suggests PAT only for VSTS.

Thanks in advance!

Answer 1

A colleague found the answer in the FAQ: https://www.visualstudio.com/en-gb/docs/build/admin/agents/v2-windows

How does the agent authenticate and communicate with the TFS AT?

The agent pool administrator role is needed only when you register an agent. At that time, the agent downloads an OAUth token so that it can listen to the queue. The account that you use in this role has no bearing on future communication between the agent and the TFS AT.

When a build is run, it generates an OAuth token for the scoped identity selected on the general tab of the build definition. That token is short lived and is used to access resources on the application tier.

Most importantly "The account that you use in this role has no bearing on future communication between the agent and the TFS AT."

Answer 2

Based on this article (Deploy an agent on Windows), you need to choose PAT for Team Services (step 9)

Answer 3

You need to use a PAT.

Since most organisations require password changes on all account much more regularly than yearly the likelihood of this being a big issue are next to nill.

Note: the PST is only used to authenticate and get a secret from the server that is the used for coms. Feel free to expire the PAT after you have configured the agent.