Problem
Agentic pipelines running inside AWF need to install packages from internal ADO Artifacts feeds (npm, PyPI, etc.). These feeds require authentication, but AWF correctly hides credential files (e.g., ~/.npmrc is overlaid with /dev/null).
Currently, the only way to authenticate is by injecting tokens into the agent's environment (e.g., AZURE_DEVOPS_EXT_PAT), which exposes credentials to the agent process — contrary to the security model where agents should not have access to secrets.
Proposed Solution
Add a proxy-based auth injection mechanism to AWF's Squid proxy. For specific configured domains, Squid would transparently inject an Authorization header (or equivalent) before forwarding the request. The token would live in the proxy configuration, never in the agent container's environment.
Architecture
- ado-aw compiler tells AWF which domains need auth injection and which pipeline variable holds the token (via a new CLI flag or config file)
- AWF configures Squid with
request_header_add Authorization rules for those domains
- Agent makes unauthenticated requests to the feed URL
- Squid intercepts, adds the auth header, and forwards
- Agent never sees the token
Example Flow
Agent (inside AWF container):
pip install my-package
→ GET https://pkgs.dev.azure.com/myorg/_packaging/myfeed/pypi/simple/my-package/
Squid proxy (AWF):
→ Matches domain rule for pkgs.dev.azure.com
→ Adds: Authorization: Basic <base64(build:SC_READ_TOKEN)>
→ Forwards authenticated request to feed
Feed server:
→ Returns package metadata (authenticated)
Configuration Surface
From the ado-aw compiler perspective, the front matter would look like:
runtimes:
python:
version: "3.12"
feed-url: "https://pkgs.dev.azure.com/myorg/_packaging/myfeed/pypi/simple/"The compiler would pass the feed domain + auth token variable to AWF, which handles the proxy-level injection.
Context
- Filed from
githubnext/ado-aw runtime extension unification
- AWF already overlays credential files with
/dev/null (correct security posture)
- AWF already uses Squid for L7 domain whitelisting — this extends the proxy with auth injection
- ADO Artifacts feeds (npm, PyPI, NuGet) all support bearer/basic auth via HTTP headers
Problem
Agentic pipelines running inside AWF need to install packages from internal ADO Artifacts feeds (npm, PyPI, etc.). These feeds require authentication, but AWF correctly hides credential files (e.g.,
~/.npmrcis overlaid with/dev/null).Currently, the only way to authenticate is by injecting tokens into the agent's environment (e.g.,
AZURE_DEVOPS_EXT_PAT), which exposes credentials to the agent process — contrary to the security model where agents should not have access to secrets.Proposed Solution
Add a proxy-based auth injection mechanism to AWF's Squid proxy. For specific configured domains, Squid would transparently inject an
Authorizationheader (or equivalent) before forwarding the request. The token would live in the proxy configuration, never in the agent container's environment.Architecture
request_header_add Authorizationrules for those domainsExample Flow
Configuration Surface
From the ado-aw compiler perspective, the front matter would look like:
The compiler would pass the feed domain + auth token variable to AWF, which handles the proxy-level injection.
Context
githubnext/ado-awruntime extension unification/dev/null(correct security posture)