Azure-Functions: Submodule requiring Creds: fatal: could not read Username for

Question

I've got an Azure Function App that is setup to continuously deploy from VisualStudio.com Team Services git repository. It utilizes submodules. One of those submodules is publically available on GitHub and it loads beautifully without any issue.

Another one of the submodules is secured behind a VisualStudio.com Team Services Git repo (Under the same account as the main repo). This submodule errors out on deploy.

Based on information provided by Microsoft, submodules are initiated with the following two git commands:

git submodule sync
git submodule update --init --recursive --force

The first of these commands appears to execute properly, and the second one seems to error out. The following is the output:

Cloning into 'secure-submodule'...
Fatal: COMException encountered.\r
bash: /dev/tty: No such device or address
error: failed to execute prompt script (exit code 1)
fatal: could not read Username for ''https://myVSStudio.visualstudio.com': Invalid argument
fatal: clone of 'https://myVSStudio.visualstudio.com/DefaultCollection/_git/secure-submodules' into submodule path 'secure-submodules' failed

I'm assuming this is because that the 2nd submodule requires credentials, but I'm not sure how to provide it.

Since the main projects continuous deployment is pulling from a protected git repository, I would think that the submodule would be able to do the same.

Answer 1

As a work around, I updated the .gitmodules file so that the URL contained a username and password, and I created a Personal Access Token to use in the URL.

e.g. Within .gitmodules the url was changed:

[submodule "mySub"]
    path = mySub
    url = https://mysub:PERSONAL_ACCESS_TOKEN_VALUE@YOUR_GIT_REPO_URL

This can be set by going to:

https://YOUR_SUB_DOMAIN.visualstudio.com/_details/security/tokens

When I created the personal access token I limited it to code read operations only.

What I don't like about this solution (and I hope someone else has a better one):

1. The personal access token is returned to source-control on the main project.
2. I don't see a way to limit a personal access token to only one repository, so this token can be used to read any repository I have access to.
3. You have to specify a period of time the token is valid and the longest period of time is a year. This is good in some ways, but I'm sure in a year I will have completely forgotten what I did to get this working and I'm sure the error message will be less than obvious.

Answer 2

I've just stumbled the same problem running an Azure pipeline on a private Agent and the solution probably might fit into what you had. I've configured the git credential cache on the Host Agent running git config --global credential.helper cache entering username and password with the name of Personal Access Token and the Token respectively. git config --global credential.helper store which stores a string like https://[pat_name]:[token]@[owner].visualstudio.com on .git-credentials didn't work in my case but might help into yours. I know that you've probably moved on from this problem but I hope it can help anyone still struggling with this.