Azure DevOps

Connect your private Azure DevOps repository to Valohai using SSH authentication. Unlike GitHub and GitLab, Azure DevOps uses user-level SSH keys rather than repository-level deploy keys.

Requirements

• A private Azure DevOps repository

• A Valohai project

• Access to your Azure DevOps account settings

Overview

You'll complete three steps:

1. Generate an SSH key pair (in Valohai)

2. Add the public key to your Azure DevOps user account

3. Add the private key to Valohai

Step 1: Generate SSH Key Pair

The easiest way is to generate the key pair directly in Valohai.

In Valohai:

1. Open your project

2. Go to Settings → Repository

3. Click Generate SSH Key

4. Download or copy both keys:

   • valohai-public_xxx.pub (public key)

   • valohai-private_xxx.pem (private key)

Keep these files handy—you'll need them in the next steps.

Alternative: Generate Locally

If you prefer, generate keys on your local machine:

ssh-keygen -t rsa -b 4096 -f valohai-deploy-key

This creates:

• valohai-deploy-key.pub – Public key for Azure DevOps

• valohai-deploy-key – Private key for Valohai

💡 Don't commit these keys to Git. Anyone with the private key can access your repository.

Step 2: Add Public Key to Azure DevOps

Azure DevOps uses user-level SSH keys, not repository-level deploy keys.

Navigate to SSH public keys:

1. Go to Azure DevOps

2. Click your profile icon (top right)

3. Go to User settings → SSH Public Keys

Add the public key:

1. Click New Key

2. Name: Valohai (or any descriptive name)

3. Public Key Data: Paste the entire contents of the .pub file

   • Should start with ssh-rsa AAAA...

4. Click Save

Step 3: Add Private Key to Valohai

Now connect the repository in Valohai.

Get your SSH repository URL from Azure DevOps:

1. Go to your Azure DevOps project

2. Click Repos → Files

3. Click Clone (top right)

4. Select SSH (not HTTPS)

5. Copy the URL (format: [email protected]:v3/org/project/repository)

In Valohai:

1. Go to Settings → Repository

2. Paste the SSH URL into the URL field:

   Copy

   [email protected]:v3/org/project/repository

3. Paste the entire contents of the private key file into SSH private key:

   • Should start with -----BEGIN RSA PRIVATE KEY-----

   • Include all lines, including the header and footer

4. Click Save

Valohai will immediately attempt to fetch your repository. If successful, you'll see your commits in the execution dialog.

Verify Connection

Test that everything works:

1. Go to Executions → Create Execution

2. The Commit dropdown should show your commits

3. If not, click Fetch Repository in settings

Keep Code Updated

After pushing new commits to Azure DevOps, update Valohai:

1. Go to Settings → Repository

2. Click Fetch Repository

Automate with webhooks (coming soon).

Important Differences from Other Git Providers

User-level keys, not deploy keys:

• Azure DevOps doesn't support repository-specific deploy keys

• The SSH key has access to all repos your user account can read

• For production, create a dedicated service account

SSH URL format:

[email protected]:v3/<organization>/<project>/<repository>

Not the standard [email protected]:username/repo.git format.

Using a Service Account (Recommended)

For production environments, use a dedicated service account:

1. Create a new user in Azure DevOps (e.g., [email protected])

2. Grant it Reader access to your repositories

3. Generate SSH keys for this account

4. Use these keys in Valohai

This isolates Valohai access from personal accounts and makes key rotation easier.

Troubleshooting

"Permission denied (publickey)"

• The public key wasn't added correctly to Azure DevOps

• Make sure you copied the entire .pub file contents

• Verify the SSH key shows in your user settings

"Repository not found"

• Check the repository URL format (should be [email protected]:v3/...)

• Ensure you selected SSH (not HTTPS) when copying the URL

• Verify your user account has access to the repository

"Invalid private key format"

• Make sure you pasted the private key, not the public key

• Include the header (-----BEGIN RSA PRIVATE KEY-----) and footer

• Don't add extra spaces or line breaks

"My commits don't appear"

• Click Fetch Repository after pushing new commits

• Check if you're on the correct branch

• Use Manage Commits to unhide old commits

"Key has access to too many repos"

• Create a service account with limited repository access

• Grant the service account only the repos needed for Valohai

Security Best Practices

Use a service account

• Don't use your personal Azure DevOps account

• Create a dedicated user for Valohai with minimal permissions

• This isolates access and simplifies key rotation

Grant minimal permissions

• Service account only needs Reader (read-only) access

• Don't grant Contributor or higher

Rotate keys periodically

• Generate new keys every 6-12 months

• Delete old SSH keys from Azure DevOps

Monitor key usage

• Azure DevOps logs SSH key usage

• Review logs periodically for unexpected activity

Next Steps

• Use .vhignore to exclude large files

• Manage Commits to organize visible commits

• Git Submodules for accessing multiple repos