I need to create Azure DevOps agent pool using Terraform.
In Terraform I'm using microsoft/azuredevops provider. And resource azuredevops_agent_pool
In conclusion, I have an error Error creating agent pool in Azure DevOps: Access denied. user needs Manage permissions to perform the action. For more information, contact the Azure DevOps Server administrator.
I have Administrator permissions in Azure Devops.
What can I try with this error?
UPD. I can create agent pool from Web UI azuredevops.
I am using authentication with PAT. PAT configured for FULL access.
UPD2. I understood that access on Project Level is other than access on Organization Level. So I have full access on Project Level but terraform is trying to create agent pull on Organization Level.
It's not possible at the moment. I face the same issue.
The issue is still opened since 2020.
https://github.com/Azure/terraform-azurerm-aci-devops-agent/issues/4
As mentioned on the README.md
Before running this module, you need to create an agent pool in your
Azure DevOps organization and a personal access token that it
authorized to manage this agent pool.
So it's not possible to automatically create an agent pool from the official Terraform azure DevOps provider
You might try to find a way through Azure DevOPS REST API:
https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/elasticpools/create?view=azure-devops-rest-7.1
You might also find this GitHub issue comment useful:
https://github.com/microsoft/terraform-provider-azuredevops/issues/204#issuecomment-962504540
Someone has already developed a way to do with Terraform using local-exec combined with azure cli/PowerShell/rest api
Related
I have created a release pipeline for an azure function that I developed. But to publish the artifact to the azure resource, is there a way I can deploy it through PAT (like how we publish VSS extensions to the marketplace). Because the subscription belongs to another person but I want to be able to deploy. If not PAT is there an alternate way to deploy when I don't have the subscription? Thanks
Don't know if it makes sense because I am new to this :)
You can use Service Connection to Azure Resource Manager with Service Principal in "Manual mode".
Manual subscription pipeline. In this mode, you must specify the
service principal you want to use to connect to Azure. The service
principal specifies the resources and the access levels that will be
available over the connection. Use this approach when you need to
connect to an Azure account using different credentials from those you
are currently logged on with in Azure Pipelines or TFS. This is also a
useful way to maximize security and limit access.
First ask an owner of the subscription to create a Service Principal (app registration) with access to subscription, then it will be just a matter of creating service connection in DevOps (project settings -> pipelines -> service connections) with proper service principal id, key, subscription id, name etc.
You can find really good tutorial for that here
So I'm trying to add a new task, Azure File Copy, to my release pipeline. The file copy is pulling a single file from a new Azure Repository I created in Azure DevOps recently and putting it into a specific blob container. However, I seem to be running into an error
[error]AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials
I tried looking for possible solutions for this, but considering this is a new repository, I'm not sure what I need to do. With my current existing app, I do have access to Microsoft Azure portal. With the link that's given in the error, it talks about updating the certificate, but it never had one to begin with.
Failing Azure File Copy when deploying a release to test environment with Azure DevOps
You could try to check if the service connection fails in Azure DevOps if you are using the Service Principal account to create the connection.
The service principal credential lifetime defaults to one year.
If yes, please create new credentials, and then update the Service Connection in Azure DevOps.
You could check this blog and this document for some more details.
It may be that the AZCOPY_SPA_CLIENT_SECRET environment variable on the machine running the task, is set to a key that has expired.
See: https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
It's clear that you can set which roles can deploy to a certain on-premise server thanks to the security settings in Deployment Groups and Agent pools. But, any way of restrict access at webapp level?
The only ways I found are:
Creating a specific account, giving it deploying permissions in target server's IIS in required webapps only and provide this credentials to developers on charge of creating the pipelines for deploying those webapps (they will put them as custom environment vars or similar in pipelines)
Same than 1 but using the created account as a service account for an agent. Access to this agent will be restricted to developers on charge of creating the pipelines for deploying those webapps.
Both cases require to create new accounts and to give permissions on server's IIS. No way of doing this from Azure DevOps on the same way that access to whole servers can be restricted?
Regards.
It's clear that you can set which roles can deploy to a certain
on-premise server thanks to the security settings in Deployment Groups
and Agent pools. But, any way of restrict access at webapp level?
Sorry but as I know Azure Devops Service doesn't support such out-of-box feature.
We can manage the access in Organization level(Organization settings), Project Level(Project settings), Feature Level(Security of Pipelines/Deployment Groups feature...) and even the 'instance Level' (Set security for one specific pipeline/deployment group/one specific git repo).
But the 'instance level' is the lowest level, we can only manage the access in specific pipeline or specific deployment group but not one webapp which will be deployed by pipeline/deploymentGroup.
The webapp is not an option hosted by Azure Devops Service, it's just something to be deployed by pipelines(hosted by Azure Devops Service). So Azure Devops Service avtually have no knowledge about the webapp(it also won't have UI that represents one webapp), that's why we can manage the access in pipeline but not webapp in that pipeline...
Update 1
Once you have only one deployment group for the specific target server, you can determine who can access the deployment group here:
The person who is assigned with reader permission can't use the deployment group to do the deploy.
Ok, following the suggestion from #Lance and after some research, this is what I´m planning to do:
Creating a custom service connection where following fields can be set: IIS Server where the WebApp is, Webapp name, User (with permissions to deployment) and Password.
Together with the Custom Service connection I will provide a custom task where developer team can select the service connection against they want to do the deployment (obviously, server admins will only configure service connections to webapps which this team is allowed to deploy).
Agent will run with a low-privileged account (no way of affecting any app) and the custom task will use internally the creds provided on service connection to perform the deploying.
I think that approach is the best workaround to the initial problem and can be extensible to fix the granularity problem in other kinds of resources (like DB´s, Shared Folders, ...) just simply adding another specific custom service connection (to specify the resource and the deployment credentials) and a linked Custom task which allows deployments only against that resource.
The only drawback is the fact that, if you want to set a deployment approval, you have to do it at resource level (for every webapp, for every DB, ...) and that means that approvers will have to approve resource by resource when deploying also (instead of a single approval for the whole application deployment as, in my understanding, should be)
What do you think guys? Any remark before start coding this?
Regards.
I am facing an issue on Azure Data Factory when I try to access the Azure DevOps Git Repository that I configured. The error message is: "Invalid GIT configuration. You need to gain access to the repository before you can publish any changes. Details: Authentication error - you do not have access to the provided Azure DevOps account."
I am using the same account on both DevOps and Data Factory. My Azure portal access is "Contributor" at the subscription level and my DevOps role is Project Administrator on the project.
Regards,
Tania
I've tried various combinations of creating the repository as new from Data Factory as well as using an existing one created (by myself) in Azure DevOps.
From https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles in the Open Feedback items a user mentions that "the Build-in role Data Factory Contributor this is not in Allow part:
Action:Microsoft.DataFactory/locations/configureFactoryRepo/action"
I investigated the the contributor role and it appears to have the Action allowed as "Read" ?
ADF Repo Settings
ADF Repo Error
After the detailed message shared from #taniaw, this issue caused by the account confused.
Here has 2 accounts, A#abc.com, and A#efg.com.
When login to azure portal with A#abc.com, and configure the Azure Devops Git. It's all correct. Now, the issue is when go Azure Devops Git tab after the repos configured successfully, its access account used in the backend changed into A#efg.com. But this account does not has permission to access the organization and repos. That's why when click the Azure Devops Git tab, it is grey and receiving the error message "You do not access to the repository".
These detailed message can all be viewed by Fiddler. Everyone can use fiddler trace to know the exactly error caused then analyze it.
At last, the solution is this is the account mapping confused issue which need Azure Account Team support.
Verify the User configuration at Organization level:
The default is "Stakeholder" - it should be "Basic" actually.
Hope it is useful.
This issue was resolved today. The cause was a different Azure DevOps tenant where my account had been added as a guest had used an email account instead of my Azure AD account and this caused the confusion when passing credentials from Azure Data Factory to Azure DevOps. The issue was resolved by leaving the organization that had my user mis-configured as I'm no longer actively working on that project. A better solution may have been to have their Azure AD administrator update my guest account to the correct details.
I am trying to follow https://blogs.msdn.microsoft.com/tfssetup/2016/04/01/build-and-deploy-azure-web-apps-using-team-foundation-serverservices-vnext-builds/.
I have no issues deploying the web app manually from Visual Studio using PublishingSettings and Publish option. I just want to automate the process and I am stuck at this step:
The article clearly advises
Select the Certificate Based connection. This is very important when
you are trying to deploy. Credential based Microsoft Account
(#outlook, #hotmail) are no longer supported and only Organizational
accounts are. Even then, if they use Two-Factor Authentication(2FA),
the build will fail trying to connect to Azure.
This is correct and if I try to use Credentials, my deployment fails with unknown_user_type: Unknown User Type
There was an error with the Azure credentials used for deployment. message.
So >> Certificate. But in my PublishSettings file there is no Management Certificate and as per this article
Azure Management Certificates and Publishing Setting files (...) are
only intended and limited to manage Azure Service Management (ASM)
resources
I tried this option:
But VSTS is not connected to the Azure environment (considering that Azure belongs to one Customer and VSTS to another, is it even possible?).
My questions:
* Is it the deployment somehow possible with PublishSettings file?
* Should the "Credentials" option work if I am using an organizational account Me#Company.com?
* How else can I try?
EDIT
Your solution could be creating a service principal in Azure and connect it to VSTS. The automatic Build from VSTS should then be published to Azure automatically. Here you find how to setup the service principal and connect it to VSTS: https://www.petri.com/connect-visual-studio-team-services-azure-using-service-principal-name
I am not sure right now, whether you are using TFS or VSTS?! When I publish a Web App in VSTS, the ARM Service Endpoints works well: