Share via

Replace PAT with System Access Token

Abhishek Kumar 0 Reputation points
2026-01-22T17:24:01.4766667+00:00

One of a Task in a Old Template uses task: AzureCLI@2 under this task multiple operations performed as inline bash script and at last need to push updates in central repo, in which a PAT is being used as AZURE_DEVOPS_EXT_PAT for git push but i need to replace it with a System Access Token, How can i do this.

in this checkout is not self and persistCredentials: true

Azure DevOps

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rakesh Mishra 9,340 Reputation points Microsoft External Staff Moderator
    2026-01-22T18:51:56.1266667+00:00

    Hi @Abhishek Kumar ,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    It sounds like you're looking to replace your Personal Access Token (PAT) with a System Access Token in your Azure DevOps pipeline task. Here’s how you can do it:

    When using the Azure CLI task (AzureCLI@2) in your pipeline, you can make use of the System.AccessToken which is an automatically generated token available during pipeline execution. This token has the permissions of the build service identity.

    Here’s how you can push your updates to a central repo using the System.AccessToken instead of a PAT:

    1. Check Your Pipeline Configuration: Ensure that your pipeline’s YAML file is set up to include the System.AccessToken. The checkout step should also be configured correctly.
    2. Update Your Script: Replace the part of your inline bash script where you're using AZURE_DEVOPS_EXT_PAT to authenticate with Git. Instead of using the PAT, set the authentication to use the System.AccessToken like so: 
      
   # Clone your repository (adjust the URL as needed)

   git clone https://dev.azure.com/{organization}/{project}/_git/{repository}

   # Navigate into your repo

   cd {repository}

   # Configure Git to use the System.AccessToken for authentication

   git config --global credential.helper manager-core

   echo "https://$(System.AccessToken):@dev.azure.com" > ~/.git-credentials

   # Now you can push your changes

   git add .

   git commit -m "Your commit message"

   git push
    3. Permissions: Make sure that the System.AccessToken has the necessary permissions to access the repository. You might have to adjust pipeline permissions in Azure DevOps under Project settings > Repositories > [repository] > Security.
    4. Testing: After making these changes, run your pipeline to check if the updates are pushed successfully.

    By doing this, you avoid the need for a PAT and make use of the built-in capabilities of Azure DevOps pipelines.

    I hope this helps! If you have more questions or run into issues, feel free to ask.

    Reference Documentation:

    Let me know if you need further assistance!

    Note: This content was drafted with the help of an AI system.

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-01-22T17:30:37.4+00:00

    To replace the Personal Access Token (PAT) with a System Access Token in your Azure DevOps pipeline, you can follow these steps to ensure that your git push command uses the System Access Token for authentication instead of a PAT.

    Steps to Use System Access Token:

    1. Set Up Your AzureCLI@2 Task: In your Azure DevOps pipeline YAML, you need to configure the AzureCLI@2 task to use the System Access Token. This token is automatically available in the pipeline and can be used for authentication in your commands.
    2. Export the System Access Token: You can export the System.AccessToken to the AZURE_DEVOPS_EXT_PAT environment variable within your inline script. This allows subsequent commands, such as git push, to use it for authentication.
    3. Ensure Permissions: Make sure that your pipeline has the necessary permissions to use the System Access Token. You may need to configure your pipeline settings to allow access to the token.

    Example Configuration:

    Here’s an example of how your AzureCLI@2 task might look:

    - task: AzureCLI@2
  inputs:
    azureSubscription: 'YourServiceConnection'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      # Other commands you need to run
      echo "Using System Access Token for git push"
      export AZURE_DEVOPS_EXT_PAT=$(System.AccessToken)
      git config --global user.email "you@example.com"
      git config --global user.name "Your Name"
      git push origin main
  env:
    AZURE_DEVOPS_EXT_PAT: $(System.AccessToken)

    Important Notes:

    • Checkout Configuration: Since you mentioned that the checkout is not self, ensure that the repository you are trying to push to is checked out correctly in the pipeline. If you are using a different repository, you may need to specify the repository in the checkout step.
    • Persist Credentials: If you are using persistCredentials: true, it allows the Git commands to use the credentials stored in the environment variable for authentication.
    • Permissions: Ensure that your pipeline has the right permissions to access the System Access Token. You can check this in the pipeline settings under the agent job.

    By following these steps, you should be able to successfully replace the PAT with a System Access Token for your git push operation in Azure DevOps.

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.