I have one problem with my Azure. I created build pipeline, and now i want to set up relase pipeline. I choosen Deploy App service, where is located my app service with subsription and resource group..
In Azure subsription dropdown I choose my subsription, it is listed.. but I need to authorize myself. I click then on Authorize and I get this error..
Error(s):
Service connection creation operation failed
Error: Service connection with name Microsoft Partner Network (subscription number) already exists. Only a user having Administrator/User role permissions on service connection Microsoft Partner Network (subsription number ) can see it.
I guess it is problem with authorisation, but I cant figure what is problem. I have privileges for my resource group.
The error indicates that within Azure DevOps a service connection with the name 'Microsoft Partner Network' already exists and that you do not have permissions to update/edit it. The permissions are actually needed within the Azure DevOps Project or Organization and are separate from Azure Resource Manager RBAC permissions such as are assigned to resource groups.
See Service Connection security roles for the requires role and references to managing project roles in Azure DevOps
Related
I want to use the "ARM template deployment" task in Azure pipelines, and for this, I need to set up a service connection of type "Azure Resource Manager connection". So I head over to the Service connections pane. And it turns out that in order to configure this service connection, one of the authentication methods is using a service principal.
So I'v tried learning a little bit about service principals, and what I've understood so far is as such:
App registration is the process of registering applications which I want to delegate identity and access management to Azure AD for. A service principal is a concrete instantiation of the Application object that I create in my Azure AD tenant.
I didn't yet get my head around all these concepts well enough, but what I don't even start to understand is what does all that have to do with an authentication method for a Azure Resource Manager service connection in Azure DevOps??
Can someone please clear up the fog for me?
Azure Devops is not integrated with Azure portal by any means. Also, Azure Devops is not a trusted service even by Microsoft itself.
The Service Connection will help you to establish a connection between Azure portal and Azure Devops. Here, the service principal acts like a user account to establish the connection.
First of all, for using the task "ARM template deployment" in Azure DevOps pipeline, this task is used to deploy Azure Resource Manager templates at resource group deployment scope, subscription deployment scope and management group deployment scopes. The task is also used to create or update a resource group in Azure.
And you should select your Azure Resource and specified subscription which are the prerequisites of the task usage, then for connecting to a subscription which is associated with an Azure Active Directory tenant when building pipeline, it is needed to create a Service connection to help work between pipeline and connect to Azure Subscription. For more info, you can refer to doc:
Azure DevOps Connection Services. And you should also login authenticate via service principle instead of user, it is just like Azure log in.
Besides, you can also manage your Azure subscriptions at scale with management groups via this doc: Organize subscriptions into management groups and assign roles to users for Microsoft Defender for Cloud | Microsoft Learn .
Im not seeing AKS from DevOps. Im trying to create a pipeline but AKS is not showing.
First of all, I created a service connection --> Azure Resource Manager --> Service Principal (Manual)
I have been working this way and I see all my AKS. I have a problem with this new one.
error
I dont know where is the problem. In DevOps I can see all my AKS except this new one
Any ideas to check?
In your Azure DevOps project navigate to Project Settings > Service Connections and select your Service Connection to Azure which will look something like this:
Depending on how your Service Principal was set up you may be able to browse to it directly in the Azure Portal by clicking the Manage Service Principal link. There are other ways to set up a Service Connection and the method to find the Service Principal in the Azure Portal will differ, checkout the documentation here. Make a note of the Display Name for your Service Principal.
In the Azure Portal navigate to your AKS resource then navigate to the Access Control (IAM) blade and click Role Assignments. Check what Roles the Azure AD Service Principal for your Azure DevOps Service Connection has been assigned, it will need at least Contributor to make changes to your AKS cluster.
You can use the verify connection link on the Edit service connection page to verify your connection information and check whether the Grant access permission to all pipelines option is checked.
In addition,here is a document on Troubleshoot Azure Resource Manager service connections you can refer to.
I have created a release pipeline for an azure function that I developed. But to publish the artifact to the azure resource, is there a way I can deploy it through PAT (like how we publish VSS extensions to the marketplace). Because the subscription belongs to another person but I want to be able to deploy. If not PAT is there an alternate way to deploy when I don't have the subscription? Thanks
Don't know if it makes sense because I am new to this :)
You can use Service Connection to Azure Resource Manager with Service Principal in "Manual mode".
Manual subscription pipeline. In this mode, you must specify the
service principal you want to use to connect to Azure. The service
principal specifies the resources and the access levels that will be
available over the connection. Use this approach when you need to
connect to an Azure account using different credentials from those you
are currently logged on with in Azure Pipelines or TFS. This is also a
useful way to maximize security and limit access.
First ask an owner of the subscription to create a Service Principal (app registration) with access to subscription, then it will be just a matter of creating service connection in DevOps (project settings -> pipelines -> service connections) with proper service principal id, key, subscription id, name etc.
You can find really good tutorial for that here
I am trying to run an Azure Resource Group Deployment task in Azure Pipelines. I have deployed an Azure Pipelines self-hosted agent on an Azure VM running Windows, and in my Azure DevOps organization I have set up an Azure Resource Manager service connection to a VM with a managed service identity.
However, I get the following error when trying to configure my Azure Resource Group Deployment task with my service connection with managed identity:
GetUserAccessToken: Failed to obtain an access token of identity . AAD returned silent failure.
Screenshot:
I have already verified that I granted access (Contributor) to the VM's managed identity to the target resource group:
The service connection is also scoped to the Azure subscription:
Any help on diagnosing this issue is appreciated. Thanks!
Failed to obtain an access token typically occur when your session has expired.
To resolve these issues:
Sign out of Azure Pipelines or TFS.
Open an InPrivate or incognito browser window and navigate to https://visualstudio.microsoft.com/team-services/.
If you are prompted to sign out, do so.
Sign in using the appropriate credentials.
Choose the organization you want to use from the list.
Select the project you want to add the service connection to.
Create the service connection you need by opening the Settings page. Then, select Services > New service connection > Azure Resource Manager.
Refer to:
https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-rm-endpoint?view=azure-devops#sessionexpired
In case this is useful to anyone else, I had a similar issue when modifying service connections through Azure DevOps. The solution provided by Charlie Brown pointed me in the right direction: The user in AAD isn't automatically added to the Azure DevOps Enterprise Application, so if you run into this it may mean that you need to add the user or group that's trying to access it through DevOps.
In my case I just added myself as and owner and user through the Azure Portal -> Azure Active Directory -> Enterprise Applications -> Azure DevOps.
I didn't have to create another user, nor modify anything with MFA.
It appears that the issue comes about because it is the user account authenticated to Azure DevOps that is retrieving subscription information. Azure DevOps is not using the managed identity to retrieve the subscription information.
In particular, my original Azure DevOps user account had MFA turned on to authenticate to an Azure subscription (e.g. portal.azure.com), but did not have MFA turned on to authenticate to Azure DevOps (e.g. dev.azure.com/). I think that this was causing the issue when failing to get an access token:
I created a different user account in my Azure AD, gave it access to my Azure DevOps organization, and made sure that this new user account had Reader permissions over the target subscription and did not have MFA turned on. This resolved the issue of getting subscription info when using managed identity:
My scenario getting this error was adding a Service Connection to a Management Group in Azure DevOps
GetUserAccessToken: Failed to obtain an access token of identity
{{GUID}}. AAD returned silent failure.
Fix for me was adding my account as a Project Collection Admin in DevOps... details below:
Tried every permission possible ... GA, ROOT Mgmt Group Owner (via AAD setting), target Mgmt Group Owner, Subscription Owner, App Administrator... In devops i am a project admin and i have Admin security role in service connections.
Interesting diff i have here, my Azure AD home tenant is different from my Azure Subscription AD tenant (i am a B2B Guest).
I actually tried to use a different DevOps tenant that has an AAD tied to the Azure Subscription tenant and it WORKED :( This lead me to diving further into what is different. Aside from the DevOps->AAD link, I am also COLLECTION admin on the working one, and only a project admin on the failing one. I made sure I had Management Group Owner rights and then added my account as a Project Collection Admin - WORKED!
Ref: https://developercommunity.visualstudio.com/solutions/1246044/view.html
Am currently trying to deploy an app from a Release Pipeline under Azure DevOps owned by Company A to an Azure App hosted on Azure owned by Company B.
Keep on getting this error when attempting to release stop the Azure App:
Error: Failed to get resource ID for resource type
'Microsoft.Web/Sites' and resource name 'AppName'. Error: Could not
fetch access token for Managed Service Principal. Please configure
Managed Service Identity (MSI) for virtual machine
'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad
Request
Am at a loss on how to solve this.
What has been done so far:
Web App is created in Azure of Company B
User from DevOps Company A Account is added as Guest User in Company Azure AD
User has Contributor rights on the Web App
Managed Service Identity is set to "On" on Web App
The subscription of Company B and Web Apps can be seen and selected when setting up the release in Azure DevOps.
Am quite sure that more needs to be in order for the release deployment to work, but after an intensive search, I was not able to find anything.
Hope anyone here can advise.
Managed to find the solution to the problem I encountered.
It was related to the access rights of the guest account on the Azure subscription.
First of all "Managed Service Identity" was not related to this issue.
These are the steps that were followed to connect the Azure DevOps of Company A to the Azure of Company B:
Created Web App in Company B Azure
Azure DevOp's account from Company A, was added as a "Guest User"
in the Azure of Company B
The DevOp's account is given Contributor rights on both the Azure
Subscription, and the Web app.
In Company A's DevOps, add a "Azure Resource Manager". Choose the
settings of Company B's Azure as "Service Principal Authentication"
Upon saving Azure Resource Manager, you will be prompted to login.
You will need to login with the admin account of Company B's Azure.
I had this problem, and it was an MSI issue but not resolved by creating a VM as is suggested elsewhere on the internet. In my case, I had reset the MSI ID of the app service, which broke the service connection in DevOps (though DevOps didn't tell me this -_-).
It was resolved by removing and re-adding the service connection in DevOps, and re-selecting it in the release pipeline settings.