I have created YAML pipeline & want to secure PROD service connection so that shouldn't be used in QA/UAT stages. I tried to add approvals on prod service connection along with PROD Environment approval(for PROD stage) but my pipeline fails immediately after approving Environment approval & throwing below error.
"##[error]The job is using protected resource(s) for which checks have not been evaluated endpoint:XXXXXX. For more details, refer to https://aka.ms/pipelinechecks"
Request you to please guide how I could fix it or achieve required control on PROD service connection. Thanks.
I can not reproduce your issue on my side. But all approvals should ask for review before the stage starts, you could only set approval for the service connection:
Related
I am trying to deploy the Azure Web App in the Qa instance. I have created 3 different appsettings.json files with environment specific Client ID's in it
On the release pipeline for QA branch I am trying to use the test app service and set the settings like below
Release pipeline is all getting executed without any issues but when I try to access the application URL I get error like
Application ID is still pointing to the DEV one even though the appsettings.QA.json has different client ID of the Test App Registration where I set the reply URl and all correcctly.
I am not sure why my QA release pipeline is not using the ID's from the appsettings.QA.json. Can anyone please suggest me what is that I am missing here. Any help is greatly appreciated
Check how the application picks correct appsettings.json -file into use. As it picks Appsettings.Development.json in QA-environment, check how the environment is set in QA-environment App Service. Perhaps there is an environment-variable with the value "Development" in App Service configuration and that should be set to "QA"?
I'm new to Azure Devops. I would like to have devops pipeline environments to be created automatically during pipeline flow. So the 5th line below should create environment if it does not exist:
- deployment: Deploy
displayName: Deploy job
pool:
vmImage: $(vmImageName)
environment: 'production'
Instead I'm getting:
What am I missing?
To automate environment creation I could also use Terraform but this time I cannot find terraform resource config responsible for that.
I had a similar problem and found that the documentation lists some possible reasons for why this can happen:
Quote from learn.microsoft.com:
Q: Why am I getting error "Job XXXX: Environment XXXX could not be
found. The environment does not exist or has not been authorized for
use"?
A: These are some of the possible reasons of the failure:
When you author a YAML pipeline and refer to an environment that does not exist
in the YAML file, Azure Pipelines automatically creates the
environment in some cases:
You use the YAML pipeline creation wizard in the Azure Pipelines web
experience and refer to an environment that hasn't been created yet.
You update the YAML file using the Azure Pipelines web editor and save
the pipeline after adding a reference to an environment that does not
exist.
In the following flows, Azure Pipelines does not have
information about the user creating the environment: you update the
YAML file using another external code editor, add a reference to an
environment that does not exist, and then cause a manual or continuous
integration pipeline to be triggered. In this case, Azure Pipelines
does not know about the user. Previously, we handled this case by
adding all the project contributors to the administrator role of the
environment. Any member of the project could then change these
permissions and prevent others from accessing the environment.
If you are using runtime parameters for creating the environment, it
will fail as these parameters are expanded at run time. Environment
creation happens at compile time, so we have to use variables to
create the environment.
A user with stakeholder access level cannot create the environment as
stakeholders do not access to repository.
In our case, the problem was using runtime parameters for creating the environment.
You have the environment name 'production' hardcoded, so your problem might be related to one of the other cases.
I have created the app service in existing internal app service environment. And then I’m trying to deploy the source code into above app service using Azure DevOps CI & CD pipelines. But, in the release pipeline I’m getting the below error message in Azure DevOps:
Error: Error Code: ERROR_DESTINATION_INVALID
More Information: Could not connect to the remote computer ("xx-xxxx-v1-api-dev.scm.xxx-int-nonp.xxxcloudapps.com"). Make sure that the remote computer name is correct and that you are able to connect to that computer. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_DESTINATION_INVALID.
Error: The remote name could not be resolved: 'xx-xxxx-v1-api-dev.scm.xxx-int-nonp.xxxxcloudapps.com'
Error count: 1.
Note: I’m using self-hosted agent in the release pipeline. I have tried to access Kudu environment for the above service in the private virtual machine. But, the kudu not opening.
So, please suggest me how to fix the above issue.
Kindly set/add the following to the Application setting and see if it helps.
Name: WEBSITE_WEBDEPLOY_USE_SCM
Value: false
If I have understood your issue correctly (using private link).
For accessing the Kudu console, or Kudu REST API (deployment with Azure DevOps self-hosted agents for example), you must create two records in your Azure DNS private zone or your custom DNS server. Kindly check this document for more details. If you haven't added the records, kindly see if that works.
Name Type Value
mywebapp.privatelink.azurewebsites.net A PrivateEndpointIP
mywebapp.scm.privatelink.azurewebsites.net A PrivateEndpointIP
https://learn.microsoft.com/azure/app-service/networking/private-endpoint#dns
Ensure that the release pipeline is running in the right host. Because the endpoint is private for the SCM too, the DevOps Agent must be in a network with access with the endpoint, so mandatory to use self-hosted Devops Agent.
Kindly see this doc for more details:
https://learn.microsoft.com/azure/app-service/networking/private-endpoint#dns
If the issue still persists, kindly capture a network trace/HAR or client-side HTTP log/review the logs.
P.S. Kindly do not share any PII data on the public forum for your privacy.
I can't seem to authorize access to my Azure subscription in Azure DevOps to run a build whenever a commit is pushed to master. I keep getting the below error:
Also, when I click Authorize resources, it says the authorization was successful, but the next time I run the pipeline, I get the same exact error. I verified in Project settings -> Service connections that I have an active connection to the subscription.
How can I get around this issue? When I go to Deployment Center in Azure Functions and wire up the connection there, it creates a task-based pipeline, but I want to use yaml.
The above indicates the azureSubscription you specified in your azure function deployment task doesnot exist, or you didnot have the permission.
If the service connection is already correctly setup, but you still encounter above error. You can follow below to troubleshoot the issue.
1, Check your yaml pipeline.
The azure subscription is validated at compile time. If you use variables to reference the azure subscription yaml pipeline. You need to make sure the variable can be retrieved at compile time.
You can check out this thread.
2, Check the service connection security setting.
Go to project settings-->Service Connections under Pipelines--> Select your azure service connection --> More settings(3 dots)-->Security-->Try adding your pipeline to the Pipeline permissions list.
If the azure subscription service connection is not set up. You need to create an service connection of azure Resource Manager type to connect to your azure subscription. See below steps:
1, Go to project settings-->Service Connections under Pipelines--> New Service connection-->Select Azure Resource Manager--> Next
2, Then select the Authentication method. If your azure devops is connected to AAD. You can select Service principal (automatic) as Authentication method. This will automatically create a service principal in your Azure AD.
3, If you want to create new service principal. You can select Service principal (manual). See below document to create service principal in Azure
Use the portal to create an Azure Active Directory application and a service principal that can access resources
Use Azure PowerShell to create an Azure service principal with a certificate
Then enter the related information in the service connection configuration page.
After the your azure subscription service connection is created. You can use it in your yaml pipeline task by specify the service connection name. See below example:
- task: AzureFunctionApp#1
displayName: Azure Function App Deploy
inputs:
azureSubscription: myAzureSubscription
Note: You need to add the correct role assignment for above service principal to enable the service principal to deploy to your azure resources.
You must create a new connection from the task itself (you may need to use the advanced options to add an existing service principal).
under "Azure subscription" click the name of the subscription you wish to use
Click the drop down next to "Authorize" and open advanced options
Click " use the full version of the service connection dialog."
Enter all your credentials and hit save
I spent a while trying to figure out why I got the same problem. Compared my yaml to another yaml I had worked on previously and couldn't spot any problems, also verified the service connections.
But as #Levi Lu-MSFT mentions, verifying the yaml lead me to finding what caused my issue so I thought I'd share it here even though it's not 100% related:
My variables weren't indented correctly. I was a bit tired and thought DevOps was just goofing with me. So verify that your yaml is properly setup. Sometimes it can be really small things that causes these issues.
I want to clone an Azure pipeline that builds from a Git repo. Following the instructions here -- https://learn.microsoft.com/en-us/azure/devops/pipelines/get-started/clone-import-pipeline?view=azure-devops&tabs=classic#clone-a-pipeline , I clicked "Clone" when clicking "Edit" on the pipeline ...
and then on the following screen changed the branch from where the repository builds and clicked "Save". After entering my comment and saving, I got this error ...
The pipeline is not valid. Job Job_2: Step input connectedServiceNameARM references service connection 2b45...959e8d3d which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz. Job Job_1: Step input connectedServiceNameARM references service connection 2b45...959e8d3d which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz.
I "think" the error message is referring to the "Agent Job" part of the pipeline, which looks like the below
I'm clueless about what the error message is referring to and am curious about if there is a way to clone my pipeline.
Edit: In response to the answer given, turns out I don't have any service connections defined in my project at all. When I click on the "service connections" link in the project settings, all I see is this ...
I can reproduce your problem on my side. You need to check whether the service connections used in your pipeline exist in the Service connections of Project Settings. If the service connections have been deleted, you will get this error when you clone the pipeline.
Not enough reputation to comment here, but your error message makes it look like you are trying to deploy to Azure through your pipeline. This is probably not necessary for a simple build job. From the menu where you clone the pipeline try export YAML.
Export to YML menu pic
That will show the details of Job_2 and might give you the hint that you need to find the step in the UI.
If there isn't a corresponding step in the UI where you can clear out the service connection then you may be stuck creating a new pipeline and manually copying the steps you do have access to in the UI. You could also create a new pipeline based on the YAML file you just exported minus the problematic job.