Unable to use workload identity for AzureDevops repository #23478
Description
Checklist:
- I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
- I've included steps to reproduce the bug.
- I've pasted the output of
argocd version.
Describe the bug
Unable to use workload identity for AzureDevops repository.
Any attempt to use workload identity instead of PAT produce the same error , no matter if project specified or not , tried different versions from 3.0.0 to 3.0.9.
However on Repositories list page - connection status is Successful and target revision dropdown list successfully shows existing branches , that means network connectivity and access to AzureDevops project works fine.
To Reproduce
- add pod label for server and repo-server - azure.workload.identity/use: "true"
- add annotation for repo-server service account azure.workload.identity/client-id: "some client id"
- managed identity has Basic access level on AzureDevop and Reader permissions on Project
- connect repository via HTTP , type git , with empty project field , selected
Use Azure Workload Identity - try to change target revision on existing application
Expected behavior
Authentication to AzureDevops worked with workload identity
Screenshots
Version
argocd: v3.0.9+a1faf02
BuildDate: 2025-06-17T20:46:21Z
GitCommit: a1faf0265f5256f0b09e045f8486421359e3211f
GitTreeState: clean
GoVersion: go1.24.4
Compiler: gc
Platform: linux/amd64Logs
rpc error: code = Unknown desc = failed to initialize repository resources: rpc error: code = Internal desc = Failed to fetch default: git fetch origin --tags --force --prune failed exit status 128: fatal: Authentication failed for 'https://dev.azure.com/*/
time="2025-06-18T15:07:12Z" level=info msg="git cat-file -t e76e6f130067894f44e9115649dedf53a6a0d48d" dir=/tmp/_argocd-repo/f69373aa-bcd4-404f-9f91-4083c995d9ad execID=cea5d
time="2025-06-18T15:07:12Z" level=info msg=Trace args="[git cat-file -t e76e6f130067894f44e9115649dedf53a6a0d48d]" dir=/tmp/_argocd-repo/f69373aa-bcd4-404f-9f91-4083c995d9ad operation_name="exec git" time_ms=2.216312
time="2025-06-18T15:07:12Z" level=info msg="git fetch origin --tags --force --prune" dir=/tmp/_argocd-repo/f69373aa-bcd4-404f-9f91-4083c995d9ad execID=235d0
time="2025-06-18T15:07:12Z" level=error msg="`git fetch origin --tags --force --prune` failed exit status 128: fatal: Authentication failed for 'https://dev.azure.com/*/'" execID=235d0
time="2025-06-18T15:07:12Z" level=info msg=Trace args="[git fetch origin --tags --force --prune]" dir=/tmp/_argocd-repo/f69373aa-bcd4-404f-9f91-4083c995d9ad operation_name="exec git" time_ms=234.175592
time="2025-06-18T15:07:12Z" level=error msg="finished call" grpc.code=Unknown grpc.component=server grpc.error="failed to initialize repository resources: rpc error: code = Internal desc = Failed to fetch default: `git fetch origin --tags --force --prune` failed exit status 128: fatal: Authentication failed for 'https://dev.azure.com/*/'" grpc.method=GenerateManifest grpc.method_type=unary grpc.service=repository.RepoServerService grpc.start_time="2025-06-18T15:07:12Z" grpc.time_ms=289.937 peer.address="10.48.11.3:33406" protocol=grpc
time="2025-06-18T15:07:13Z" level=info msg="started call" grpc.component=server grpc.method=Check grpc.method_type=unary grpc.service=grpc.health.v1.Health grpc.start_time="2025-06-18T15:07:13Z" grpc.time_ms=0.01 peer.address="[::1]:33396" protocol=grpc