We have created a package in our company's Azure DevOps organization; it is uploaded as an artifact and can be used in pipelines in the same organization. This all works perfectly.
We now want to use the same package in a narrow, clearly defined set of other organizations. But when we try to access the package from within a pipeline of another organization, we receive an error message: The package is not found.
How can we give other "organizations" in Azure DevOps access to the package?
How can we give other "organizations" in Azure DevOps access to the package?
You can use service connections to do that. The service connection type you need to choose depends on the type of your package.
Here is an example of getting access to a universal package from another organization.
Step1:
Go to Project Settings -> Pipelines/Service connections -> New service connection -> Azure Repos/Team Foundation Server -> Next.
Connect this project to the organization of the package.
Step2:
If you are using Classic UI pipeline, add a built-in task 'Universal packages'. Choose 'Another organization/collection' in 'Feed location'. Choose the connection you created in step1 and fill in information of the feed.
If you are using YAML, add the following task:
- task: UniversalPackages#0
displayName: 'Universal download'
inputs:
feedsToUse: external
externalFeedCredentials: {service connection}
# if you are using project-scoped feed, replace {feed} with {project/feed}
feedDownloadExternal: {feed}
packageDownloadExternal: {package}
versionDownloadExternal: {version number}
If you want to connect to a Npm/Nuget/Maven/... package, you need to create a correspondant service connection and use Feed URL instead of organization URL. Then in pipeline, you need to run an authenticate task (you can find it in built-in task list) before using the package. Click this document for detailed information.
Related
I am creating a new Azure Pipeline to deploy .NET Core API app to an App Service in Azure. I am using connection type=publish profile in the pipeline, which is asking for a .pubxml file.
I have already committed the .pubxml file in my Azure repository.
But while giving the path for getting this .pubxml file, I am suspecting that I can't get .pubxml file through build artifacts. Is there any way to get the .pubxml file from azure repos to release pipeline?
I tried with $(Build.SourcesDirectory)\${{ parameters.Location }}\Properties\PublishProfiles\fcmapapi_Dev%20-%20Web%20Deploy.pubxml but no luck.
Any suggestions?
Step 1: Add Azure Repos / Build artifact with an alias to your release pipeline.
https://learn.microsoft.com/en-us/azure/devops/pipelines/release/artifacts?view=azure-devops#artifact-sources
https://learn.microsoft.com/en-us/azure/devops/pipelines/release/artifacts?view=azure-devops#artifact-sources---tfvc-git-and-github
Add "Build" resources as an artifact:
Add "Azure Repository" as an artifact:
Once, you have added both, the classic release pipeline will look like this:
Step 2: Use the three dots to browse the files / packages.
I can't seem to authorize access to my Azure subscription in Azure DevOps to run a build whenever a commit is pushed to master. I keep getting the below error:
Also, when I click Authorize resources, it says the authorization was successful, but the next time I run the pipeline, I get the same exact error. I verified in Project settings -> Service connections that I have an active connection to the subscription.
How can I get around this issue? When I go to Deployment Center in Azure Functions and wire up the connection there, it creates a task-based pipeline, but I want to use yaml.
The above indicates the azureSubscription you specified in your azure function deployment task doesnot exist, or you didnot have the permission.
If the service connection is already correctly setup, but you still encounter above error. You can follow below to troubleshoot the issue.
1, Check your yaml pipeline.
The azure subscription is validated at compile time. If you use variables to reference the azure subscription yaml pipeline. You need to make sure the variable can be retrieved at compile time.
You can check out this thread.
2, Check the service connection security setting.
Go to project settings-->Service Connections under Pipelines--> Select your azure service connection --> More settings(3 dots)-->Security-->Try adding your pipeline to the Pipeline permissions list.
If the azure subscription service connection is not set up. You need to create an service connection of azure Resource Manager type to connect to your azure subscription. See below steps:
1, Go to project settings-->Service Connections under Pipelines--> New Service connection-->Select Azure Resource Manager--> Next
2, Then select the Authentication method. If your azure devops is connected to AAD. You can select Service principal (automatic) as Authentication method. This will automatically create a service principal in your Azure AD.
3, If you want to create new service principal. You can select Service principal (manual). See below document to create service principal in Azure
Use the portal to create an Azure Active Directory application and a service principal that can access resources
Use Azure PowerShell to create an Azure service principal with a certificate
Then enter the related information in the service connection configuration page.
After the your azure subscription service connection is created. You can use it in your yaml pipeline task by specify the service connection name. See below example:
- task: AzureFunctionApp#1
displayName: Azure Function App Deploy
inputs:
azureSubscription: myAzureSubscription
Note: You need to add the correct role assignment for above service principal to enable the service principal to deploy to your azure resources.
You must create a new connection from the task itself (you may need to use the advanced options to add an existing service principal).
under "Azure subscription" click the name of the subscription you wish to use
Click the drop down next to "Authorize" and open advanced options
Click " use the full version of the service connection dialog."
Enter all your credentials and hit save
I spent a while trying to figure out why I got the same problem. Compared my yaml to another yaml I had worked on previously and couldn't spot any problems, also verified the service connections.
But as #Levi Lu-MSFT mentions, verifying the yaml lead me to finding what caused my issue so I thought I'd share it here even though it's not 100% related:
My variables weren't indented correctly. I was a bit tired and thought DevOps was just goofing with me. So verify that your yaml is properly setup. Sometimes it can be really small things that causes these issues.
I have followed these steps:
I installed `Google Cloud Build app on Github, linked it to Cloud Build and configured it to use a certain repository (a private one)
I set up a trigger at Cloud Build: Push to any branch
the project has no app instances after deploying (App Engine -> Dashboard)
My cloudbuild.yarml looks like this:
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args: ['app', 'deploy', '--project=project-name', '--version=$SHORT_SHA']
If I try to run the trigger manually: I get this error in Google Cloud:
unable to get credentials for cloud build robot
I have also tried to set IAM roles based on this article but using #cloudbuild.gserviceaccount.com doesn't seem to be a valid "member" (perhaps I need two projects, one for running and one for building the app?)
How do I fill the gaps / fixes the errors mentioned?
It seems the error message looking for credential that has the required permission. From the article that you are following, in the step #4, don't add manually the Service Account for Cloud Build. Check if you enable the Cloud Build API in your project, if the API is disabled try to enable. It will automatically create the Service Account for Cloud Build and look likes this:
[PROJECT_NUMBER]#cloudbuild.gserviceaccount.com
Once the service account is created, go to Cloud Build > Setting page and enable the required roles for you application.
I am building a report to summarize release definitions in Azure DevOps. This report will perform various checks to determine the health of the release definition. One of the checks I would like to implement is to determine if the Azure Service Connection the deployment phase is set to is still valid.
Currently I'm able to retrieve the YAML for the release definition, and the release instances however neither seem to indicate the specific service connection that's being used. The PowerShell commands I'm using are:
az pipelines release definition show
az pipelines release show
The YAML returned has several nodes such as deployPhases, deploySteps, releaseDeployPhases, deploymentJobs however for a release definition configured for a service connection I don't see any information in the release definition or the instance that indicates which service connection is being used.
The closest the YAML has to information about a service connection are references to variable such as $(ConnectedServiceName) and $(Parameters.ConnectedServiceName).
I'm also unable to find any information in either the Azure CLI or Rest API documentation on how to find the service connection for a release definition. The documentation I have checked is:
YAML Schema: https://learn.microsoft.com/en-us/azure/devops/pipelines/yaml-schema?view=azure-devops&tabs=schema
Azure-DevOps (Azure CLI): https://learn.microsoft.com/en-us/cli/azure/ext/azure-devops/?view=azure-cli-latest
Is it possible to query the CLI and retrieve Service Connection information based on the YAML returned for a release definition, or a release instance?
Service Connections are stored at Azure DevOps project level, so you can retrieve them from DevOps Rest API:
GET https://dev.azure.com/{organization}/{project}/_apis/serviceendpoint/endpoints?api-version=5.1-preview.2
More information at https://learn.microsoft.com/en-us/rest/api/azure/devops/serviceendpoint/endpoints/get%20service%20endpoints?view=azure-devops-rest-5.1
I am currently creating a CI for the FrontEnd of one of our client.
We need to copy the file coming from our repo the container account of the compagny that manage the operational part (we are only providing the code).
So , the company that will manage the infrastructure has Given us the storage account name (testdeploy) , the container name (artifact-deply) and the key (securekey).
I have managed to connect to the storage via Azure Storage Explorer , but now I need to deploy the artifact on this container via the CI.
The problem is , I don't know how , and I can't find documentation on how to proceed , every doc talk about deploying to a container in the same subscription.
But I do not have acces to this container , I only have it's name and key.
Here is the Yaml to what I have already setup , I do not know if i can help:
steps:
- task: AzureFileCopy#2
displayName: 'AzureBlob File Copy'
inputs:
SourcePath: '$(System.DefaultWorkingDirectory)/_listes-Azure/buildtest'
azureSubscription: 'Paiement à l''utilisation(my_subscription)'
Destination: AzureBlob
storage: testdeploy
ContainerName: 'artifact-deploy/front'
AdditionalArgumentsForBlobCopy: 'securekey'
outputStorageUri: 'https://testdeply.blob.core.windows.net/'
outputStorageContainerSasToken: 'securekey'
Of course when i do this I have this error message :
2019-10-25T10:45:51.1809999Z ##[error]Storage account: fprplistesdeploy not found. The selected service connection 'Service Principal' supports storage accounts of Azure Resource Manager type only.
Since It's not in my subscription scope , it can't acces it.
What I am doing wrong ?
I am using the AzurFileCopy task , is it good?
How can I setup the AzurFileCopy task to a container account that is not on my subscription scope , knowing that the only thing i have is a account name , and a key?
Thanks in advance !
What you basically have to do is to create and use a Shared Access Signature (SAS) to deploy resources into this blob container. Since you have the storage account key you can create a SAS token with Azure Storage Explorer.
Then use Azure Cloud Shell or Azure CLI on local machine for testing purposes. Try to copy a file into the blob container using a SAS token for authorization. If you have problems with authorization using a SAS token you can also test access using Azure Storage Explorer. Such basic tasks are widely known and well documented.
Finally find a way to run the file copy command used while testing in an Azure Pipeline Task. If Azure File Copy task does not fit to your use case, use a more generic task like an Azure CLI task. From reading over the docs it might be that it does not support your use case although the task name indicates that. I see your point. Find out how to access the artifact provided by the build pipeline and copy the file resources into the storage account. If that basically works find out how to improve it. Voila.
So I managed to do it.
Turns out , you can't do it via the AzureFile Copy , this task can't upload to as Container outside your subscription.
You must use an Azur CLI task , here is the script I used:
#!/bin/bash
az storage blob upload --container-name artifact --file $(System.DefaultWorkingDirectory)/artifact_deply/buildtest/front.zip --name front --account-key securekey
I changed all the variable but the idea is here ( I declared the account name in the variable panel of azur devops).
I used the account key , because I had error with the SAS URL , but I think you can easily use the Azur devops variable to pass the SAS Token URL.
And I created a task before this one to zip all the folder , so it's easier to manage.