I am using Azure Devops Pipelines. In my CI yaml and calling a powershell script. Within Powershell i am reading details of an existing resource say storage account sitting in subscription X, and creating an exact replica in subscription Y. We have created a Service connection using service principal of X in Azure devops and are using in our CI pipeline. Not aware of how to include Y Service Principal so that resource can be created in Y subscription.
Anything can be handled at Azure side? Please suggest the way.
Related
I want to use the "ARM template deployment" task in Azure pipelines, and for this, I need to set up a service connection of type "Azure Resource Manager connection". So I head over to the Service connections pane. And it turns out that in order to configure this service connection, one of the authentication methods is using a service principal.
So I'v tried learning a little bit about service principals, and what I've understood so far is as such:
App registration is the process of registering applications which I want to delegate identity and access management to Azure AD for. A service principal is a concrete instantiation of the Application object that I create in my Azure AD tenant.
I didn't yet get my head around all these concepts well enough, but what I don't even start to understand is what does all that have to do with an authentication method for a Azure Resource Manager service connection in Azure DevOps??
Can someone please clear up the fog for me?
Azure Devops is not integrated with Azure portal by any means. Also, Azure Devops is not a trusted service even by Microsoft itself.
The Service Connection will help you to establish a connection between Azure portal and Azure Devops. Here, the service principal acts like a user account to establish the connection.
First of all, for using the task "ARM template deployment" in Azure DevOps pipeline, this task is used to deploy Azure Resource Manager templates at resource group deployment scope, subscription deployment scope and management group deployment scopes. The task is also used to create or update a resource group in Azure.
And you should select your Azure Resource and specified subscription which are the prerequisites of the task usage, then for connecting to a subscription which is associated with an Azure Active Directory tenant when building pipeline, it is needed to create a Service connection to help work between pipeline and connect to Azure Subscription. For more info, you can refer to doc:
Azure DevOps Connection Services. And you should also login authenticate via service principle instead of user, it is just like Azure log in.
Besides, you can also manage your Azure subscriptions at scale with management groups via this doc: Organize subscriptions into management groups and assign roles to users for Microsoft Defender for Cloud | Microsoft Learn .
I'm trying to deploy a new azure subscription into a management group using azure devops pipeline.
I have created a management group and a service principle , I assign the contributor role on the mgm group to the sp and then created a new service connection on the management group scope.
My problem is that I can not find this service connection in my pipeline task.
How can I use this service connection in my pipeline to deploy subscription?
According to your description, you could add the "ARM Template deployment" task in the azure pipeline to deploy a new azure subscription into a management group.
In classic pipeline:
For more information about the ARM of the mangement group, you could refer to this documentation.
I am trying to create a service connection to Azure with below steps:
1- I use same user for Azure and Azure DevOps
2- in the Project setting -> service connection -> new service connection
Azure resource Manager -> Service principal (Automatic)
but It can not find my subscription.
anybody has any idea?
Do you have Azure Active Directory level permissions? You will also need Owner level Subscription Permissions on the subscription as displayed in the documentation here. You can add a service connection manually, you don't have to use the automated process as per the docs here
I've configured Azure DevOps with a Service Principal to access one specific resource group. I was expecting Azure DevOps will only be able to deploy to resources under this group but that doesn't seem to be the case. I am able to connect agents from other resource groups and then deploy to them without any issue.
What's the point of configuring Service Principal in 'Azure DevOps' if the agent can bypass all permissions?
Configuration:
Azure Portal
1. Created AD in Azure Portal. Created App under AD with client secret.
2. Granted 'contributor' role to App created in Step-1 with resource group scope.
3. Created two resource groups - RG1 and RG2 with one VM in each.
4. Granted role assignment to App created in step-1 for RG1 only. RG2 has no role assignments.
Azure DevOps
5. Connect Azure DevOps organization with Portal using AD connect.
6. Created service connection by going to Projects-> Service Principal(SP) -> Azure Resource Manager with Service Principal credentials (see step-1 above).
7. Created new pipeline and deployment group. Copied the deployment group agent code and ran it on both VMs in RG1 and RG2.
Actual Result:
Both VMs connected fine as targets under deployment group.
Pipeline was able to deploy successfully to both VMs.
Even if no service connections exist, pipelines are able to deploy to VMs
Expected Result:
Only VM under RG1 should connect based on RBAC.
Pipeline should only be able to deploy to VM under RG1 and not RG2.
Pipelines shouldn't be able to deploy if service connections are not defined.
Workaround: Maybe installing this extension ( https://github.com/maikvandergaag/msft-extensions/wiki/Azure-RBAC ) would help but I was trying to avoid it if possible.
I believe your understanding on RBAC applies the Azure resources and the VM Resources. But you have already override the permission by installing the Deployment agent into the VM.
In the IAAS scenario, you have already granted permission using the deployment agent.
In the PAAS Scenario, RBAC will be adhered because you will be using service end point.
I want to deploy a web app using CI/CD from VSTS to multiple (customer) Azure accounts. So not multiple subscriptions within the same Azure account, but multiple different Azure accounts owned by customers.
The app is a managed app from the Azure Marketplace so I have full access to the resource group in which the app resides.
Is there an easy way to do this using service connections and the web deploy task or should I be using Powershell to do this and script it myself?
Please create multiple Service Connections in your VSTS which used to connect to these Azure account first.
Then please create a Release pipeline with multiple environments. Then add Deploy task for every environment and choose different Azure Service Connections in different environment. Then you could deploy one app to different Azure environment through one release pipeline.
It turns out that with a Managed App, for every customer deployment a resource group is created that I own and therefore shows up in my Azure account.
So from VSTS I can just use Service Connections to those resource groups, no need to connect to these other Azure accounts.