git-clone task doesn't honor Key Vault PAT

[nickjmcclure]

When using the git-clone task the pat parameter expects the actual PAT and not the Key Vault Secret Identifier as described in the blog post here: https://techcommunity.microsoft.com/blog/azuredevcommunityblog/accelerate-developer-onboarding-with-the-configuration-as-code-customization-in-/4062416

To Reproduce
Create a template with a task to perform a git-clone

• name: git-clone
  description: Clone this repository into z:\workspaces
  parameters:
  repositoryUrl: https://github.com/myOrg/SomeRepo.git
  directory: z:\workspaces
  pat: https://not-a-real.vault.azure.net/secrets/GitHubPAT/abc123blahblahblah

Use this template as the customization file when creating a new Dev Box.

Expected behavior
The git-clone process should get the PAT from the key vault using the identity of the Dev Center Project managed identity

Dev Box VM Details (please complete the following information):

• OS version: Windows 11
• Image: microsoftvisualstudio_visualstudioplustools_vs-2022-ent-general-win11-m365-gen2

Additional context
Key Vault exists and is not protected by a firewall.
Dev Center and Project managed identities given RBAC roles to Key Vault

When providing the actual PAT as the value of the parameter, the git-clone works without issue.

[jheins-accso]

I can confirm this Problem. If you also have a look at the actual implementation of the task, you find no part, where a AZ Key Vault is queried for the PAT. It seams as it is simply not implemented.

It is also part of the official documentation https://learn.microsoft.com/en-us/azure/dev-box/how-to-write-customization-file#use-key-vault-secrets-in-team-customization-files

[nickjmcclure]

Looks like the documentation has been updated, but I'm not sure it is working with GitHub repos.

https://learn.microsoft.com/en-us/azure/dev-box/how-to-use-secrets-customization-files

[dfukhsa]

Can anyone confirm if the pat keyvault parameter is working currently?

tasks: 
  - name: git-clone
    description: Clone this repository into C:\workspaces
    parameters:
      repositoryUrl: https://github.com/example-org/example-repo.git
      directory: C:\workspaces
      pat: "{{https://contoso-vault.vault.azure.net/secrets/github-pat}}"

as per Team Customization Example

As of January 2026 it worked fine when Building DevBox images. Today the same build are failing in the git-clone step with such errors:

git : Cloning into '.'...
At C:\Windows\SystemTemp\46adbabe-fe5b-422a-a780-1e145bb376bd\1153rhyo.32h\main.ps1:461 char:13
+             git $credentialInteractiveFlag -c http.extraHeader="Autho ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Cloning into '.'...:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 
bash.exe: warning: could not find /tmp, please create!
fatal: Cannot prompt because user interactivity has been disabled.
bash.exe: warning: could not find /tmp, please create!
bash: line 1: /dev/tty: No such device or address
error: failed to execute prompt script (exit code 1)
fatal: could not read Username for 'https://dev.azure.com/***/_git/***': 
No such file or directory
git clone exited with code: 128
Failed to clone repository: https://dev.azure.com/***/_git/*** to directory: C:\***, we'll try again assuming it's an access token.

Permissions are the same. Theory is that the conversion from pat: "{{https://contoso-vault.vault.azure.net/secrets/github-pat}}" to the secret is not occurring anymore, and not passed to git for proper authentication. But at this stage I have no way to know for sure unless someone else also facing similar issue? Thanks.

[dfukhsa]

Happy to report that in my case the pat keyvault parameter is indeed working. It was spotted that although the keyvault secret had previously expired and had been recreated, the url in the pat parameter of the git-clone step needed to also be updated.