So I'm trying to add a new task, Azure File Copy, to my release pipeline. The file copy is pulling a single file from a new Azure Repository I created in Azure DevOps recently and putting it into a specific blob container. However, I seem to be running into an error
[error]AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials
I tried looking for possible solutions for this, but considering this is a new repository, I'm not sure what I need to do. With my current existing app, I do have access to Microsoft Azure portal. With the link that's given in the error, it talks about updating the certificate, but it never had one to begin with.
Failing Azure File Copy when deploying a release to test environment with Azure DevOps
You could try to check if the service connection fails in Azure DevOps if you are using the Service Principal account to create the connection.
The service principal credential lifetime defaults to one year.
If yes, please create new credentials, and then update the Service Connection in Azure DevOps.
You could check this blog and this document for some more details.
It may be that the AZCOPY_SPA_CLIENT_SECRET environment variable on the machine running the task, is set to a key that has expired.
See: https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
Related
I need to create Azure DevOps agent pool using Terraform.
In Terraform I'm using microsoft/azuredevops provider. And resource azuredevops_agent_pool
In conclusion, I have an error Error creating agent pool in Azure DevOps: Access denied. user needs Manage permissions to perform the action. For more information, contact the Azure DevOps Server administrator.
I have Administrator permissions in Azure Devops.
What can I try with this error?
UPD. I can create agent pool from Web UI azuredevops.
I am using authentication with PAT. PAT configured for FULL access.
UPD2. I understood that access on Project Level is other than access on Organization Level. So I have full access on Project Level but terraform is trying to create agent pull on Organization Level.
It's not possible at the moment. I face the same issue.
The issue is still opened since 2020.
https://github.com/Azure/terraform-azurerm-aci-devops-agent/issues/4
As mentioned on the README.md
Before running this module, you need to create an agent pool in your
Azure DevOps organization and a personal access token that it
authorized to manage this agent pool.
So it's not possible to automatically create an agent pool from the official Terraform azure DevOps provider
You might try to find a way through Azure DevOPS REST API:
https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/elasticpools/create?view=azure-devops-rest-7.1
You might also find this GitHub issue comment useful:
https://github.com/microsoft/terraform-provider-azuredevops/issues/204#issuecomment-962504540
Someone has already developed a way to do with Terraform using local-exec combined with azure cli/PowerShell/rest api
I am able to create a new Azure App Service on my Azure subscription from VS code. If I then try to deploy my python web application to the App Service that I just created I get a "401 - Unauthorized: Access" error. If I logon to the Azure portal I can view my newly created App Service. I can see on the Access Control page that I am listed as a contributor. I am not sure why I can not deploy my code or view files. Does anyone have suggestions as to security settings to check? I need to be able to deploy my code. Thank you.
#Kachopsticks, Apologies! If my response is to too late. To benefit the community, sharing the steps that could help isolate such issues:
There is a way to disable basic auth access to the WebDeploy port and SCM site with basicPublishingCredentialsPolicies, see if this is the case.
basicPublishingCredentialsPolicies --parent sites/ --set properties.allow=false
https://learn.microsoft.com/azure/app-service/deploy-configure-credentials?tabs=cli#webdeploy-and-scm
You could re-download the publish profile from Azure portal, and import publish settings in Visual Studio for deployment.
In the Azure portal, open the Azure App Service.
Go to Get publish profile and save the profile locally.
A file with a .publishsettings file extension has been generated in the location where you saved it and you may import that in VS and then attempt to re-deploy.
Additionally, Azure App Service supports two types of credentials for local-Git and FTP/S deployment:
User-level credentials one set of credentials for the entire Azure account.
App-level credentials (one set of credentials for each app. It can be used to deploy to that app only) -. They can't be configured manually, but can be reset anytime. For a user to be granted access to app-level credentials via (RBAC), that user must be contributor or higher on the app (including Website Contributor built-in role). Readers are not allowed to publish, and can't access those credentials.
We have some unit tests/integration tests running on Azure build/release pipelines. There are few tests that retrieve secrets from key vault and these are failing because the code is written for fetching secrets from keyvault using MSI and Azure app authentication features. Since pipelines are not enabled for MSI, the keyvault calls are failing and hence the tests are also failing. What is the alternative that exists for this scenario where pipelines can access keyvault successfuly?
Note: I have already gone through articles suggesting to use variable groups and azure keyvault tasks but not helpful in my scenario .Looking for alternatives.
Note: I have already gone through articles suggesting to use variable
groups and azure keyvault tasks but not helpful in my scenario.Looking
for alternatives.
You can try two directions:
Configure a self-hosted agent to run your pipeline in local environment. Of course the agent should be configured with your managed identity.
According to step5 from this blog:
AzureServiceTokenProvider will use the developer's security context to get a token to authenticate to Key Vault. This removes the need to create a service principal, and share it with the development team. It also prevents credentials from being checked in to source code. AzureServiceTokenProvider will use Azure CLI or Active Directory Integrated Authentication to authenticate to Azure AD to get a token. That token will be used to fetch the secret from Azure Key Vault.
You can use Azure Cli task to run your tests in command-line. Check this similar issue.
I am facing an issue on Azure Data Factory when I try to access the Azure DevOps Git Repository that I configured. The error message is: "Invalid GIT configuration. You need to gain access to the repository before you can publish any changes. Details: Authentication error - you do not have access to the provided Azure DevOps account."
I am using the same account on both DevOps and Data Factory. My Azure portal access is "Contributor" at the subscription level and my DevOps role is Project Administrator on the project.
Regards,
Tania
I've tried various combinations of creating the repository as new from Data Factory as well as using an existing one created (by myself) in Azure DevOps.
From https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles in the Open Feedback items a user mentions that "the Build-in role Data Factory Contributor this is not in Allow part:
Action:Microsoft.DataFactory/locations/configureFactoryRepo/action"
I investigated the the contributor role and it appears to have the Action allowed as "Read" ?
ADF Repo Settings
ADF Repo Error
After the detailed message shared from #taniaw, this issue caused by the account confused.
Here has 2 accounts, A#abc.com, and A#efg.com.
When login to azure portal with A#abc.com, and configure the Azure Devops Git. It's all correct. Now, the issue is when go Azure Devops Git tab after the repos configured successfully, its access account used in the backend changed into A#efg.com. But this account does not has permission to access the organization and repos. That's why when click the Azure Devops Git tab, it is grey and receiving the error message "You do not access to the repository".
These detailed message can all be viewed by Fiddler. Everyone can use fiddler trace to know the exactly error caused then analyze it.
At last, the solution is this is the account mapping confused issue which need Azure Account Team support.
Verify the User configuration at Organization level:
The default is "Stakeholder" - it should be "Basic" actually.
Hope it is useful.
This issue was resolved today. The cause was a different Azure DevOps tenant where my account had been added as a guest had used an email account instead of my Azure AD account and this caused the confusion when passing credentials from Azure Data Factory to Azure DevOps. The issue was resolved by leaving the organization that had my user mis-configured as I'm no longer actively working on that project. A better solution may have been to have their Azure AD administrator update my guest account to the correct details.
I am trying to follow https://blogs.msdn.microsoft.com/tfssetup/2016/04/01/build-and-deploy-azure-web-apps-using-team-foundation-serverservices-vnext-builds/.
I have no issues deploying the web app manually from Visual Studio using PublishingSettings and Publish option. I just want to automate the process and I am stuck at this step:
The article clearly advises
Select the Certificate Based connection. This is very important when
you are trying to deploy. Credential based Microsoft Account
(#outlook, #hotmail) are no longer supported and only Organizational
accounts are. Even then, if they use Two-Factor Authentication(2FA),
the build will fail trying to connect to Azure.
This is correct and if I try to use Credentials, my deployment fails with unknown_user_type: Unknown User Type
There was an error with the Azure credentials used for deployment. message.
So >> Certificate. But in my PublishSettings file there is no Management Certificate and as per this article
Azure Management Certificates and Publishing Setting files (...) are
only intended and limited to manage Azure Service Management (ASM)
resources
I tried this option:
But VSTS is not connected to the Azure environment (considering that Azure belongs to one Customer and VSTS to another, is it even possible?).
My questions:
* Is it the deployment somehow possible with PublishSettings file?
* Should the "Credentials" option work if I am using an organizational account Me#Company.com?
* How else can I try?
EDIT
Your solution could be creating a service principal in Azure and connect it to VSTS. The automatic Build from VSTS should then be published to Azure automatically. Here you find how to setup the service principal and connect it to VSTS: https://www.petri.com/connect-visual-studio-team-services-azure-using-service-principal-name
I am not sure right now, whether you are using TFS or VSTS?! When I publish a Web App in VSTS, the ARM Service Endpoints works well: