Is it possible through az devops CLI (for ex: az devops security permissions commands) to set repo security settings at the repo level so that a repo may only be visible/accessible to specific users (and admin) in the project?
I am essentially looking for commands which will grant a specific user access to a specific repo # repo-level
I am essentially looking for commands which will grant a specific user access to a specific repo # repo-level
You can use az devops security permission update Azure Cli and use 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87 as the id parameter:
az devops security permission update --id 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87
--subject
--token
[--allow-bit]
[--deny-bit]
[--detect {false, true}]
[--merge {false, true}]
[--org]
Is it possible through az devops CLI to set repo security settings at the repo level so that a repo may only be visible/accessible to specific users in the project?
Yes. Here is an example. Please replace the braces and their contents with your own information:
az devops security permission update --id 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87 --subject {email address or group descriptor} --token repoV2/{project id}/{repository id}/ --allow-bit 2 --merge true
Please notice the --allow-bit 2. The number 2 refer to the Read permission of a repository.
So if you want to let a user/group can access to a repository, you need to use --allow-bit 2. If you want to let a user/group cannot access to a repository, you need to use --deny-bit 2.
Related
I want to get the list of users who has access of Azure DevOps Repo using PowerShell script or azure CLI.
az devops user list = use this command to list all users on Azure DevOps organization.
az devops user list
[--detect {false, true}]
[--org]
[--skip]
[--top]$allUsers = az devops user list --org $Organization | ConvertFrom-Jsonforeach($au in $allUsers.members)
{
Write-Host $au.user.principalName
}
We have the Azure Pipelines PowerShell Module to create a report of listing the users/groups having permissions to the repositories as given detailed in this SO Thread .
References:
https://vinijmoura.medium.com/how-to-list-all-users-and-group-permissions-on-azure-devops-using-azure-devops-cli-54f73a20a4c7
I have started using Azure Pipelines with GitHub backed account and created my first organization. I do not have any projects in that organization. I also do not have any subscriptions on portal.azure.com. I want to list available project in my organization using Azure CLI - basically - to get an empty list, because there are no projects yet.
When I type
az login --allow-no-subscriptions
I login successfully using a browser. But all the other Azure CLI commands that I issue afterwards will fail, and ask to login. What's in the name?
After a successful az login, when I type
az devops login --organization https://dev.azure.com/my-org-name-i-will-not-tell-you/
it prompts me for token, which is confusing, because from the official documentation:
If you have already signed in with az login interactively or using user name and password, then you don't have to provide a token as az devops commands now support sign in through az login.
I am confused, why I cannot login. Do I need to create a subscription on portal.azure.com to login? I don't want to do it, and don't' see why that will be necessary for my task.
If you login through
az login --allow-no-subscriptions
there is no need to call az devops login as you have access to Azure DevOps. Anf if you want to configure default organization, you can always use az devops configure
But it looks like mistake on CLI or documentation. I would recommend you create an issue for this page on GitHub.
The documentation indicates if you have already signed in with az login interactively or using user name and password, then you don't have to provide a token as az devops commands now support sign in through az login. In my opinion, the az devops commands here doesn't include az devops login command, as you don't need to run az devops login command after you running az login command.
I've installed AZ DEVOPS extension from az cli
az extension add --name azure-devops
az devops login --organization https://myorg.com
But when I insert my DEVOPS Personal Access Token, fail with the following error.
Failed to store PAT using keyring; falling back to file storage.
You can clear the stored credential by running az devops logout.
Refer https://aka.ms/azure-devops-cli-auth to know more on sign in with PAT.
I'm trying to access from a Linux Centos 7 machine to automate DevOps Pipeline creation.
Someone know how to fix this issue?
As a prerequisite,your Azure CLI version must be 2.0.49 at a minimum. You can use az --version to validate.
After you add az extension, you could also run az login to sign in.
If you have already signed in with az login interactively or using
user name and password, then you don't have to provide a token as az
devops commands now support sign in through az login.
When you are using az devops login command, first make sure you are using Azure DevOps Service organization URL. Example: https://dev.azure.com/MyOrganizationName. Azure DevOps Server/TFS is not support at present.
For Azure DevOps tokens, you need to make sure it's valid and with enough scopes for this token to authorize for your specific tasks.
More details please refer our official tutorial here-- Sign in with a Personal Access Token (PAT)
I'm using Azure CLI v2.0.62.
I do have multiple subscriptions - S1, S2, S3, S4 - in Azure on the single account.
I'm executing below script to insert dynamic value into repository:
az login
az acr build "ParentStorage" --platform windows -f Dockerfile -t ChildRepository:<dynamicValue>
Here, ParentStorage is of Storage Account type and ChileRepository is of Repository type.
At first, when login command gets executed, it gives me list of available subscription. But after executing az acr build... command it is throwing error message as below:
Error
The resource with name 'ParentStorage' and type
'Microsoft.ContainerRegistry/registries' could not be found in
subscription 'Visual Studio Professional
(ID)'.
What I have found till now is, it is trying to search under my Visual Studio subscription (S1). As S1 was the default subscription and repository was in S2. So I set S2 as default subscription and tried again but it didn't work.
Event when I tried to execute below command, it threw the same error:
az acr show --name ParentStorage
P.S.: I tried to login with specific subscription but unable to do so.
Please let me know what is I'm missing here.
For your issue, it seems your registry is not in the current subscription. When you use the CLI command az login then you log in with a default subscription. For you, it seems the "Visual Studio Professional (ID)" is the default. You should check if your registry is in the current subscription. If not, you should set that subscription as the current subscription through the CLI command:
az account set --subscription subscription_id
Then I suggest you'd better check if the registry exists again with the CLI command:
az acr show -n acr_name
It will show the information of your registry. This time, you can build the image with the CLI command az acr build as you want.
Also, you can set the subscription in the login time with the parameter --subscription through the CLI command az login.
If you have more questions, please let me know. Or if you think it's helpful you can accept it as the answer.
I ran into this and found another issue. The service provider (SP) I was using only had the "Acr Push" role. I had to add the "Contributor" role to resolve the issue. So it appears "Acr Push" does not have enough permissions to see the ACR resource.
Just adding an additional thing by following the answer provided in here
We can use below command to build with specific subscription id so that whenever the multiple users want to execute this command with their different default subscription id, they don't need to make other subscription as their default.
az acr build --subscription $SubscriptionId -r $registry --platform Windows -f Dockerfile -t XYZ:v$version obj
Hope this helps others too.
I have created a Build Docker Image task inside DevOps Build Pipeline.
In this task, after selecting the Azure Subscription, the Azure container registry list shows No results Found message.
Although I have created the ACR in that subscription, I'm unable to connect to it via DevOps Build Pipeline.
Is this issue related to permissions or any other?
Did you create a Service Principal for Azure DevOps pipeline? Once created you can give it the proper role for what you are trying to do.
# Assign the desired role to the service principal. Modify the '--role' argument
# value as desired:
# acrpull: pull only
# acrpush: push and pull
# owner: push, pull, and assign roles
az role assignment create --assignee $SERVICE_PRINCIPAL_ID --scope $ACR_REGISTRY_ID --role acrpull
In your build pipeline, you need to add a login task that uses an existing Service Connection before your Docker build and/or push task. The Service Connection has the subscription and the name of the Azure Container Registry where you will be uploading your Docker images.