I'm trying to connect an Azure DevOps Git repository to Snowflake using a Service Principal (OAuth2). The admin provided me with a client_id, tenant_id, and client_secret from an App Registration in Azure.

I'm running the following two commands:

CREATE OR REPLACE API INTEGRATION git_api_integration
  API_PROVIDER = git_https_api
  API_ALLOWED_PREFIXES = ('https://dev.azure.com//')
  API_USER_AUTHENTICATION = (
    TYPE = OAUTH2
    OAUTH_AUTHORIZATION_ENDPOINT = 'https://login.microsoftonline.com//oauth2/v2.0/authorize'
    OAUTH_TOKEN_ENDPOINT = 'https://login.microsoftonline.com//oauth2/v2.0/token'
    OAUTH_CLIENT_ID = ''
    OAUTH_CLIENT_SECRET = ''
    OAUTH_ALLOWED_SCOPES = ('499b84ac-1321-427f-aa17-267ca6975798/.default')
  )
  ENABLED = TRUE;

CREATE OR REPLACE GIT REPOSITORY ..
  API_INTEGRATION = git_api_integration
  ORIGIN = 'https://dev.azure.com///_git/';

What has already been verified and set up correctly:

• The App Registration in Azure has the following API permissions, all granted: user_impersonation, vso.code_manage, vso.code_status (Azure DevOps) and User.Read (Microsoft Graph)

• The Service Principal has been added as a user in the Azure DevOps organisation

• The Service Principal has explicit Read and Contribute permissions on the repository in Azure DevOps Project Settings → Repositories → Permissions

The error occurs on the CREATE OR REPLACE GIT REPOSITORY command, not on the fetch step.

Is the API_USER_AUTHENTICATION block the correct way to pass OAuth2 credentials for Azure DevOps in Snowflake, or should I be using a separate SECRET object with GIT_CREDENTIALS instead? Could the issue also be that the Service Principal hasn't been added as a user inside the Azure DevOps project settings?

Any help appreciated!