In Azure DevOps, I have created a service connection (type: Azure Resource Manager) to be able to upload files to Azure Blob Storage.
Then I have added the Storage Blob Data Contributor role for this service principal under Access Control (IAM) in my Azure Storage account by searching for the service principal's name under Select.
I have noticed that each time I create a new DevOps pipeline that uses the (same) service connection, I need to add the Storage Blob Data Contributor role again because under Select, there are then multiple items with the same (service principal's) name. It's not clear why there are multiple items and it's also unclear which one is the newest, such that I am just adding all items as a workaround.
Is there anything that I am missing to avoid ending up with dozens of items to select when assigning roles for a new pipeline that uses the same service connection?
As design, one service connection map to one single service principal.
You issue mostly like you did not ever assign the actual service principal id to that service connection while you configure it. When the system finds there is no principal there, it will automatically create one for it in azure.
Please give the full parameters value there, including service principal id and secret, when you create the service connection.
Then you can just grant the permission to the currently used service principal.
Related
I have an app service that needs to connect to Azure Key Vault to obtain Storage and Cosmos DB connection strings. The same application also needs to use service principal name (with client id and secret) to connect directly to a SQL PaaS instance (not via Azure Key Vault). Can I use one single service principal for both?
Can I use one single service principal for both?
Sure you can. As long as Service Principal as appropriate permissions to access both Azure Key Vault and SQL Database, it should be able to access these resources.
The key thing here is that your Service Principal must be assigned appropriate RBAC roles. For example, if you assign your Service Principal a Contributor role in an Azure Subscription, then you can manage all resources of your Azure Subscription (except role assignment) using that Service Principal.
According this when you create an Azure Resource Manager service connection to a certain Resource Group, Azure DevOps connects with Azure Active Directory (Azure AD) and creates an app registration with a secret that's valid for two years.
Well, what exactly are the permissions given to this app registration over the Resource Group? Same than the account which is creating the service connection?
When you create a automated Azure Resource Manager Service connection in Azure Devops, it will automaticlly create a service principal in Azure Active Directory(Named: Orgname-projectname-SubscriptionID).
You could navigate to Azure Portal -> Azure Active Directory -> App registrations.
When using this automatic service connection in azure devops, azure sources are operated through this service principal instead of the account which is creating the service connection.
This service principal has the Contributor role in Azure Resource Group.
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
You can search for the service principal name in Resource Group -> Access control to check its permissions
what exactly are the permissions given to this app registration over the Resource Group?
It is a Contributor role, also did a quick test for you.
Same than the account which is creating the service connection?
No, the account needs to be the Owner of the subscription, otherwise it will not have the permission to assign the role to the AD App i.e. service principal.
I have created a release pipeline for an azure function that I developed. But to publish the artifact to the azure resource, is there a way I can deploy it through PAT (like how we publish VSS extensions to the marketplace). Because the subscription belongs to another person but I want to be able to deploy. If not PAT is there an alternate way to deploy when I don't have the subscription? Thanks
Don't know if it makes sense because I am new to this :)
You can use Service Connection to Azure Resource Manager with Service Principal in "Manual mode".
Manual subscription pipeline. In this mode, you must specify the
service principal you want to use to connect to Azure. The service
principal specifies the resources and the access levels that will be
available over the connection. Use this approach when you need to
connect to an Azure account using different credentials from those you
are currently logged on with in Azure Pipelines or TFS. This is also a
useful way to maximize security and limit access.
First ask an owner of the subscription to create a Service Principal (app registration) with access to subscription, then it will be just a matter of creating service connection in DevOps (project settings -> pipelines -> service connections) with proper service principal id, key, subscription id, name etc.
You can find really good tutorial for that here
I'm looking for my VSTS deployment agent service principal to get the Object ID of a managed service principal (created by Data Factory V2).
It needs this for assigning ACL's in data lake store.
However as far as I can tell, it requires Read Permission on Azure AD.
I wish to avoid granting it read permission if possible, to follow the 'least privilege' mantra.
For non-managed service principals, I allow the deployment agent to manage service principals it has created (thus not needing full read access). However I suspect the fact that the service principals are managed by Azure it is unlikely I'll be able to give the deployment agent any ownership over the managed service principal (however I'm working with AD admins to see if there is a way).
I've tried everything I can think of mixing and matching Azure RM data factory v2 powershell modules and Azure AD modules.
Is it possible to get the id without Azure AD read access? Or a novel workaround (I'm considering a constrained Web API wrapper)?
I can't create an Azure Batch service. I keep getting error: "Please assign Contributor role to "MicrosoftAzureBatch" service principal through your Subscription's Access control (IAM) blade." even after adding it to my subscription Access control (IAM):
We could get the detail steps about how to Create a Batch account with the Azure portal from azure officail document. It is odd that you can not create the service that if you have assigned the Contributor role.
If it is still not working for you, please have a try to create a Batch account. As the document mentioned that user subscription mode which is no longer recommended for most scenarios.
When creating a Batch account, you should generally choose the default Batch service mode, in which pools are allocated behind the scenes in Azure-managed subscriptions. In the alternative user subscription mode, which is no longer recommended for most scenarios, Batch VMs and other resources are created directly in your subscription when a pool is created. To create a Batch account in user subscription mode, you must also register your subscription with Azure Batch, and associate the account with an Azure Key Vault.
I've already fixed the problem. It seems there was a permissions issue, and the error message was not clarifying at all, though. I've been able to create Azure Batch service logging into Azure portal with the subscription owner account, instead of mine's.