I can't seem to authorize access to my Azure subscription in Azure DevOps to run a build whenever a commit is pushed to master. I keep getting the below error:
Also, when I click Authorize resources, it says the authorization was successful, but the next time I run the pipeline, I get the same exact error. I verified in Project settings -> Service connections that I have an active connection to the subscription.
How can I get around this issue? When I go to Deployment Center in Azure Functions and wire up the connection there, it creates a task-based pipeline, but I want to use yaml.
The above indicates the azureSubscription you specified in your azure function deployment task doesnot exist, or you didnot have the permission.
If the service connection is already correctly setup, but you still encounter above error. You can follow below to troubleshoot the issue.
1, Check your yaml pipeline.
The azure subscription is validated at compile time. If you use variables to reference the azure subscription yaml pipeline. You need to make sure the variable can be retrieved at compile time.
You can check out this thread.
2, Check the service connection security setting.
Go to project settings-->Service Connections under Pipelines--> Select your azure service connection --> More settings(3 dots)-->Security-->Try adding your pipeline to the Pipeline permissions list.
If the azure subscription service connection is not set up. You need to create an service connection of azure Resource Manager type to connect to your azure subscription. See below steps:
1, Go to project settings-->Service Connections under Pipelines--> New Service connection-->Select Azure Resource Manager--> Next
2, Then select the Authentication method. If your azure devops is connected to AAD. You can select Service principal (automatic) as Authentication method. This will automatically create a service principal in your Azure AD.
3, If you want to create new service principal. You can select Service principal (manual). See below document to create service principal in Azure
Use the portal to create an Azure Active Directory application and a service principal that can access resources
Use Azure PowerShell to create an Azure service principal with a certificate
Then enter the related information in the service connection configuration page.
After the your azure subscription service connection is created. You can use it in your yaml pipeline task by specify the service connection name. See below example:
- task: AzureFunctionApp#1
displayName: Azure Function App Deploy
inputs:
azureSubscription: myAzureSubscription
Note: You need to add the correct role assignment for above service principal to enable the service principal to deploy to your azure resources.
You must create a new connection from the task itself (you may need to use the advanced options to add an existing service principal).
under "Azure subscription" click the name of the subscription you wish to use
Click the drop down next to "Authorize" and open advanced options
Click " use the full version of the service connection dialog."
Enter all your credentials and hit save
I spent a while trying to figure out why I got the same problem. Compared my yaml to another yaml I had worked on previously and couldn't spot any problems, also verified the service connections.
But as #Levi Lu-MSFT mentions, verifying the yaml lead me to finding what caused my issue so I thought I'd share it here even though it's not 100% related:
My variables weren't indented correctly. I was a bit tired and thought DevOps was just goofing with me. So verify that your yaml is properly setup. Sometimes it can be really small things that causes these issues.
Related
I selected the Azure Subscription that matches the Subscription ID from my app service in Azure Portal, but I keep getting this message No Results Found when I try to select an App Service Name.
Please check if you Service connection is not limited to resource group. For instace this one is:
To check this please go to: Project Settings -> Service Connections -> end edit connection to see details.
Resource group should be empty if your choice is to do not limit connection to particular resource group.
So my guess is that your connection is limited to resource group which doesnt have app service.
I would suggest you to please check the App type i.e., webapp you created on window, or some other OS based on select the App type. I created my web app on Windows OS and can be able to see the app service name populating over here.
Search for the Task : AZURE APP SERVICE DEPLOY
I'm deploying an ARM template within an Azure Devops release pipeline. Amongst others, the ARM template looks up the connection string of an existing AppConfiguration instance and outputs it for use in a next step where I set the configuration of a resource.
This has worked fine for the first couple of releases. Since this week however I'm getting the following error:
AuthorizationFailed: The client 'adb4-etc' with object id 'adb4-etc' does not have authorization to perform action 'Microsoft.AppConfiguration/configurationStores/listKeys/action' over scope '/subscriptions/{guid}/resourcegroups/{rgname}/providers/Microsoft.AppConfiguration/configurationStores/{appConfigname}' or the scope is invalid. If access was recently granted, please refresh your credentials.
Just to be sure the problem isn't with the ARM template, I deployed it in the Azure portal using 'Deploy a custom template' and it worked fine, outputting the connection string to the AppConfiguration. However there it used my personal user account for authentication, of course.
The pipeline uses a service connection that is connected to a principal that does not have the client ID starting with adb4, and there is no principal (user, app registration, enterprise application) in our Azure AD that even starts with adb4. So in that sense the error is correct, but why is Azure Devops authenticating with this unknown principal?
The service connection principal has the Contributor role on the applicable AppConfiguration instance. This access was granted weeks ago.
I am trying to deploy an Azure Web App through a Jenkins scripted pipeline using the Azure App Service Plugin. This is my deploy-command (GUIDs have been changed):
azureWebAppPublish azureCredentialsId: 'a0774bb6-e471-47s9-92dc-5aa7b4t683e8', resourceGroup: 'my-demo-app', appName: 'MY-DEMO-APP', filePath: 'public/*, package.json'
When running the script I get the following error:
The client '03a1b3f9-a6fb-48bd-b016-4e37ec712f14' with object id '03a1b3f9-a6fb-48bd-b016-4e37ec712f14' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/81fd39sw-3d28-454c-bc78-abag45r5d4d4/resourceGroups/my-demo-app/providers/Microsoft.Web/sites/MY-DEMO-APP' or the scope is invalid. If access was recently granted, please refresh your credentials.
The strange thing is, the ID of this "client" that's missing authorization does not appear anywhere in the build plan. It's neither the ID or a part of the service principal nor the ID of the Container Registry credentials. It also doesn't appear on the machine that executes the build (I checked both the GUID of the mother board and the windows installation). Also the term client is not used for any part of the build plan, so I don't really know what's the actual issue in this case.
Please check out this tutorial that explains how to Set up continuous integration and deployment to Azure App Service with Jenkins and One of the best method to deploy to Azure Web App (Windows) from Jenkins : https://learn.microsoft.com/en-us/azure/jenkins/java-deploy-webapp-tutorial
To find the Azure AD user with the object id '03a1b3f9-a6fb-48bd-b016-4e37ec712f14', go to Azure portal, open Cloud Shell and run
Get-AzureADUser -ObjectId '03a1b3f9-a6fb-48bd-b016-4e37ec712f14'
To diagnose or troubleshoot the issue, go to Azure Portal -> Resource Groups -> my-demo-app -> MY-DEMO-APP -> Access control (IAM) -> Role assignments -> and then search for above found AD User and check if that user has atleast read permission.
Hope this helps!
Currently, trying to configure a release pipeline in Azure Devops. I've successfully created a CI pipeline that is working and running tests successfully. My release pipeline uses the artifacts from latest the CI build and should be deploying to azure. When I look at the logs I can see the the following were completed successfully:
Initialize Agent
Initialize job
Download arifact
and then the "Deploy to Azure App Service" fails with the logs showing the following details:
2019-02-07T19:06:57.5433805Z Got service connection details for Azure App Service:'MyApp'
2019-02-07T19:06:57.5487495Z ##[error]Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'MyAPP'. Error: Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request
2019-02-07T19:06:57.5496340Z Failed to add release annotation. TypeError: Cannot read property 'getApplicationSettings' of undefined
I haven't been able to find much to help with this so far. I created the release pipeline by selecting Azure App Service deployment from the templates for stage 1 of the pipline (I only have one stage) and I added an artifact who's source is from my build pipeline. I then selected the Tasks tab and selected my Pay-as-you-go subscription under "Available Azure Service Connections". After selecting my subscription, my app service name became available in the "App service name" dropdown and I selected it. I then hit save and tried to create a release but every release fails with the above error message.
What can I do to overcome this?
Finally found a solution to my issue. The problem was in the way I set up my service connection. I went to:
project settings -> service connections -> new service connection -> selected azure resource manager -> selected service principal authentication INSTEAD OF managed identity authentication -> a popup came up that allowed me to log in and authorize.
Then I used that service connection when creating the release pipeline instead of the pre-existing Pay-As-You-Go subscription that I used last time.
Previously when I tried this, I had an adblocker running and it blocked the popup which allowed me to authorize when I selected service principal authentication. That resulted in an "Unable to authorize account" error message which is why I went with managed identity authentication in the first place.
In my case, it was related to a chrome extension I have added 'enable CORS' plugin. After disabling, release pipeline worked nicely
I'm sitting in a project where I will move from TFS to VSTS so we do have a working release definition.
But when I try deploying a service fabric cluster i get the following error:
2018-08-28T09:02:59.8922249Z ##[error]An error occurred attempting to acquire an Azure Active Directory token. Ensure that your service endpoint is configured properly with valid credentials. Error message: Exception calling "AcquireToken" with "3" argument(s): "AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '< service principle Id >'.
Trace ID: < guid1 is here >
Correlation ID: < guid2 is here >
Then I go to the azure portal -> AAD -> Sign In -> look up my specific sign in (based on correlation Id) and there it state that Sign-in status is Success
Considering this works for our TFS instance i assume the service principle is correctly set up. But since the build/deploy agents is now on a VM in azure instead of on prem for TFS, is there anything i need to change?
Traffic should be OK, i can navigate to the https-adress to the cluster from the VM with agents.
I've tried google it, but to no success so hopefully someone can point me to the right direction where to look.
And in portal, 'MFA is required' is no, so multi factor should not be neccesary.
Just try using certificate based authentication instead of using AAD Authentication in the service endpoint configuration.
Reference the same issue here: https://github.com/Microsoft/vsts-tasks/issues/7714
If that still not work, just try to create a new endpoint, then try it again.