I have created an Azure Container Registry.
I have an Azure DevOps project.
I have created an Azure DevOps Pipeline using the wizard so
that it uses the standard template to build and push a Docker image.
When validating the Pipeline the following error is thrown:
Failed to set Azure permission 'RoleAssignmentId: ****' for the service principal '****' on subscription ID '****': error code: Forbidden, inner error code: AuthorizationFailed, inner error message The client '****' with object id '****' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/****/resourceGroups/****/providers/Microsoft.ContainerRegistry/registries/****/providers/Microsoft.Authorization/roleAssignments/****' or the scope is invalid. If access was recently granted, please refresh your credentials. Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription.
What configuration could I be missing? The documentation for this is all very sparse and written as though it should all just work.
Thanks
You need to add AcrPull permission to service principal you used here. Please got to you ACR and add it.
Here you have id of you service principal:
Failed to set Azure permission 'RoleAssignmentId: ' for the service principal ''
Also please check also networking on ACR if it blocks you or not.
To build and push your Docker image in Azure pipeline, you need follow the steps below:
Navigate to Project Settings > Service connections to create a Docker Registry service connection that can connect to your ACR.
In the pipeline, add the Docker task to build and push your Docker image to ACR.
Yours service principal on service connection is missing permissions link to documentation https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli. You can use custom role or build like contributor on resource group level. Example of custom role and allowed actions "Microsoft.ContainerRegistry/registries/push/write",
Related
I have a DevOps release pipeline pushing out (via CLI on a VM) to a dev resource group happily. When I add a stage pushing to an identical QA resource group I get the below.
ERROR: (AuthorizationFailed) The client '' with object id '' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions//resourceGroups//providers/Microsoft.Web/sites//config/publishingcredentials' or the scope is invalid. If access was recently granted, please refresh your credentials.
Is there a place I should be looking at first?
The error is due to the service principa(in azure devops, typically is 'service connection') doesn't have correct role/permission on the target resource.
Please find your service connection in Project settings.
Click Manage Service Principal which will redirect you to the Application Registration of the Service Principal. All you need to do here is copy the name (the default format is <account>-<prject>-<GUID>).
Go back and click Manage service connection roles which will redirect you to the IAM blade of the Azure Subscription. Here you need to assign a role to the service principal of which you copied the name of in the previous step. you can add it as subscription owner/contributor role on the target subscription simply.
You can check similar answer here.
I am trying to create a NodeJS Azure pipeline, deployed to a container and publish it. While pushing the container I got the following error. I am using a Guest User account with Contributor permission. What should I do?
Seems like an issue with the Service connection. Try creating a new service connection (service principal) and push the image. You might need to have elevated permission for creating a Service principal.
I'm using the Microsoft Extension to access KeyVaults from Azure DevOps to fetch a secret from the vault. I'm getting this error message which appears to say that I need to allow rights the Azure Devops agent access to the keyvault.
"Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request""
I have this running on a separate test subscription where the AzureDevOps account has contributor access under Role Assignments, same on the PROD subscription where the error message is coming up.
Any insights would be greatly appreciated.
THanks,
This seems to be an issue with Azure keyvaults defined with service endpoints. As Azure DevOps is not a trusted service it does not have access to the endpoint. The workaround is to whitelist the ip of the agent right from the pipeline, removing it after you've obtained the secrets(figuring out how to do this now). This is referenced in here and here
I'm attempting to build out my DevOps pipeline to deploy a DataFactory, Databricks Notebooks & Azure Data Warehouse,
I have my resource subscriptions setup for both Dev and Prod. deploying to Prod is more tricky than it seems.
my keyvault has GET/LIST Permissions for both Secret & Keys for the Target DataFactory.
https://learn.microsoft.com/en-us/azure/data-factory/continuous-integration-deployment
I have used the above guide to setup my target data factory in prod - and it is stood up correctly with all the connection strings setup and keyvault permissions set.
but I am stuck on this portion :
Grant permissions to the Azure Pipelines agent The Azure Key Vault
task may fail with an Access Denied error if the proper permissions
aren't present. Download the logs for the release, and locate the .ps1
file with the command to give permissions to the Azure Pipelines
agent. You can run the command directly, or you can copy the principal
ID from the file and add the access policy manually in the Azure
portal. Get and List are the minimum permissions required.
when I deploy my release I get the following error on the KeyVault task :
The specified Azure service connection needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download the ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it, or set them from the Azure portal
I've added this power shell script ProvisionKeyVaultPermissions.ps1 to my repo and added it to my task but it just runs forever ? unsure if I'm missing something here.
hope this is clear/ please ask for any additional info.
I wonder if it's the DevOps service connection that's missing the permissions.
You can check access policies for the vault from the console. You should see your service connection as an APPLICATION; it needs the GET and LIST privileges as the document your following says. My understanding is that these are privileges for the account that's deploying your code, rather than the account that will run your code.
I have created a Build Docker Image task inside DevOps Build Pipeline.
In this task, after selecting the Azure Subscription, the Azure container registry list shows No results Found message.
Although I have created the ACR in that subscription, I'm unable to connect to it via DevOps Build Pipeline.
Is this issue related to permissions or any other?
Did you create a Service Principal for Azure DevOps pipeline? Once created you can give it the proper role for what you are trying to do.
# Assign the desired role to the service principal. Modify the '--role' argument
# value as desired:
# acrpull: pull only
# acrpush: push and pull
# owner: push, pull, and assign roles
az role assignment create --assignee $SERVICE_PRINCIPAL_ID --scope $ACR_REGISTRY_ID --role acrpull
In your build pipeline, you need to add a login task that uses an existing Service Connection before your Docker build and/or push task. The Service Connection has the subscription and the name of the Azure Container Registry where you will be uploading your Docker images.