@@ -5,68 +5,76 @@ A Git credential helper that uses Azure CLI to obtain OAuth tokens for Azure Dev
55## Prerequisites
66
77- [ Azure CLI] ( https://docs.microsoft.com/en-us/cli/azure/install-azure-cli ) installed and authenticated (` az login ` )
8+ - Go 1.21+ (for building from source)
89
910## Installation
1011
11- ### Option 1: Build from source (Go)
12-
1312``` bash
1413go build -o git-credential-azure-cli .
15- cp git-credential-azure-cli /usr/local/bin/
14+ sudo cp git-credential-azure-cli /usr/local/bin/
1615```
1716
18- ### Option 2: Use Python script
19-
20- Requires Python 3.6+
17+ Or use the ` init ` command after building:
2118
2219``` bash
23- cp git-credential-azure-cli.py /usr/local/bin/git-credential-azure-cli
24- chmod +x /usr/local/bin/git-credential-azure-cli
20+ git-credential-azure-cli init
2521```
2622
27- Then configure Git to use the helper.
23+ This will configure Git to use the cache helper (to prevent rate limiting) and add this tool as a credential helper.
2824
2925## Configuration
3026
31- ### Credential Caching (Recommended)
27+ ### Quick Setup
28+
29+ The easiest way to configure is using the ` init ` command:
30+
31+ ``` bash
32+ git-credential-azure-cli init
33+ ```
34+
35+ ### Manual Setup
3236
3337Add the cache helper first to prevent Entra ID rate limiting. The helper provides ` password_expiry_utc ` so the cache knows when to refresh:
3438
3539``` bash
3640git config --global --replace-all credential.helper cache
37- git config --global --add credential.helper git-credential-azure-cli
41+ git config --global --add credential.helper /path/to/ git-credential-azure-cli
3842```
3943
40- ### Global Helper
44+ ### Allowed Domains
4145
42- Configure the helper globally with domain filtering :
46+ Set which domains the helper should process. Uses "ends with" matching, so ` visualstudio.com ` matches ` msazure.visualstudio.com ` :
4347
4448``` bash
45- git config --global credential.helper git-credential-azure-cli
49+ git config --global --add azureCliCredentialHelper.allowedDomain " visualstudio.com"
50+ git config --global --add azureCliCredentialHelper.allowedDomain " dev.azure.com"
4651```
4752
48- By default, this handles hosts ending with ` visualstudio.com ` , ` dev.azure.com ` , or ` goproxyprod.goms.io ` .
53+ Default: ` visualstudio.com ` , ` dev.azure.com `
4954
50- ### GOPROXY Authentication
55+ ### Resource Overrides
5156
52- This helper can also be used for Go module proxy authentication via the ` GOAUTH ` environment variable :
57+ For hosts that need a different token resource (e.g., Go module proxies) :
5358
5459``` bash
55- export GOAUTH= " git / "
60+ git config --global " azureCliCredentialHelper.https://mydomain.com.resource " " https://myoauth2resourceURL "
5661```
5762
58- This tells Go to use the git credential system for authentication, which will invoke this helper for matching domains. ` / ` can be used as the directory because the credential helper is in the user's
59- global configuration. If configured in a specific directory, use that path instead.
63+ ### GOAUTH Authentication
6064
61- ### Allowed Domains
65+ This helper can be used for Go module proxy authentication via the ` GOAUTH ` environment variable:
6266
63- Set which domains the helper should process (comma-separated). Uses "ends with" matching, so ` visualstudio.com ` matches ` msazure.visualstudio.com ` :
67+ ``` bash
68+ eval " $( git-credential-azure-cli exports) "
69+ ```
70+
71+ Or add to your shell profile:
6472
6573``` bash
66- git config --global credential.azureCliHelper.allowedDomains " visualstudio.com,dev.azure.com "
74+ git-credential-azure-cli exports >> ~ /.bashrc
6775```
6876
69- Default: ` visualstudio.com,dev.azure.com,goproxyprod.goms.io `
77+ This sets ` GOAUTH ` to use the git credential system for authentication.
7078
7179## How It Works
7280
@@ -77,8 +85,8 @@ Default: `visualstudio.com,dev.azure.com,goproxyprod.goms.io`
7785 - The host matches one of the allowed domains
7886
79873 . It attempts to get an OAuth token from Azure CLI:
80- - If the host has a resource override (e.g., ` goproxyprod.goms.io ` uses ` https://microsoft.onmicrosoft.com/AKSGoProxyMSFT ` ) , uses that resource
81- - Otherwise tries: ` az account get-access-token --resource https://< host>/ `
88+ - If the host has a resource override configured , uses that resource
89+ - Otherwise constructs the resource from the host URL
8290 - If that fails and a ` realm ` is present in the WWW-Authenticate headers, tries that realm as the resource
8391
84924 . If a token is obtained, it outputs credentials in the format Git expects:
@@ -89,6 +97,16 @@ Default: `visualstudio.com,dev.azure.com,goproxyprod.goms.io`
8997 password_expiry_utc=<unix_timestamp>
9098```
9199
100+ ## Commands
101+
102+ - ` init ` - Configure git credential helpers
103+ - ` exports ` - Output environment variable exports for GOAUTH
104+ - ` get ` - Get credentials (called by git automatically)
105+ - ` store ` - No-op (credentials managed by Azure CLI)
106+ - ` erase ` - No-op (credentials managed by Azure CLI)
107+
108+ Use ` -v ` , ` -vv ` , or ` -vvv ` for increasing verbosity levels.
109+
92110## Troubleshooting
93111
94112### Verify Azure CLI is authenticated
@@ -100,13 +118,19 @@ az account show
100118### Test the helper manually
101119
102120``` bash
103- echo -e " protocol=https\nhost=msazure.visualstudio.com\n" | git-credential-azure-cli get
121+ echo -e " protocol=https\nhost=dev.azure.com\n" | git-credential-azure-cli get
122+ ```
123+
124+ ### Debug mode
125+
126+ ``` bash
127+ echo -e " protocol=https\nhost=dev.azure.com\n" | git-credential-azure-cli -vvv get
104128```
105129
106- ### Check allowed domains configuration
130+ ### Check configuration
107131
108132``` bash
109- git config --get credential.azureCliHelper.allowedDomains
133+ git config --global -- get-all azureCliCredentialHelper.allowedDomain
110134```
111135
112136## License
0 commit comments