Currently, trying to configure a release pipeline in Azure Devops. I've successfully created a CI pipeline that is working and running tests successfully. My release pipeline uses the artifacts from latest the CI build and should be deploying to azure. When I look at the logs I can see the the following were completed successfully:
Initialize Agent
Initialize job
Download arifact
and then the "Deploy to Azure App Service" fails with the logs showing the following details:
2019-02-07T19:06:57.5433805Z Got service connection details for Azure App Service:'MyApp'
2019-02-07T19:06:57.5487495Z ##[error]Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'MyAPP'. Error: Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request
2019-02-07T19:06:57.5496340Z Failed to add release annotation. TypeError: Cannot read property 'getApplicationSettings' of undefined
I haven't been able to find much to help with this so far. I created the release pipeline by selecting Azure App Service deployment from the templates for stage 1 of the pipline (I only have one stage) and I added an artifact who's source is from my build pipeline. I then selected the Tasks tab and selected my Pay-as-you-go subscription under "Available Azure Service Connections". After selecting my subscription, my app service name became available in the "App service name" dropdown and I selected it. I then hit save and tried to create a release but every release fails with the above error message.
What can I do to overcome this?
Finally found a solution to my issue. The problem was in the way I set up my service connection. I went to:
project settings -> service connections -> new service connection -> selected azure resource manager -> selected service principal authentication INSTEAD OF managed identity authentication -> a popup came up that allowed me to log in and authorize.
Then I used that service connection when creating the release pipeline instead of the pre-existing Pay-As-You-Go subscription that I used last time.
Previously when I tried this, I had an adblocker running and it blocked the popup which allowed me to authorize when I selected service principal authentication. That resulted in an "Unable to authorize account" error message which is why I went with managed identity authentication in the first place.
In my case, it was related to a chrome extension I have added 'enable CORS' plugin. After disabling, release pipeline worked nicely
Related
I’m trying to queue Azure DevOps pipeline from Azure Logic App. When I create workflow, the connection is configured correctly without any issue. However, the project dropdown list is unable to populate team project and same as build definition id dropdown list. The organization dropdown list is populated correctly. I do have team project administrator to the team project, and do have logic app contributor. I'm also able to get list of team project from this organization using REST-API. Here is an error I got:
Could not retrieve values. Error code: ‘Unauthorized’, Message: ‘TF400813: The user ‘573f1013-71ca-6a2f-ac35-ba1bef678b59’ is not authorized to access this resource.
Azure DevOps ActivityId: 0ba5ef8c-4ac4-4810-bf92-7835ca5bf444
Details: TF400813: The user ‘573f1013-71ca-6a2f-ac35-ba1bef678b59’ is not authorized to access this resource.
clientRequestId: eae306a3-f638-424b-96e5-579a70c9dcf7’. More diagnostic information: x-ms-client-request-id is ‘F6A975D5-74AA-41E3-9DCA-70A508139387’.
Error code: ‘Unauthorized’, Message: ‘TF400813: The user ‘573f1013-71ca-6a2f-ac35-ba1bef678b59’ is not authorized to access this resource. Azure DevOps ActivityId: 0ba5ef8c-4ac4-4810-bf92-7835ca5bf444
According to the error message, it may be that the account you logged in in the Queue a build action selected the wrong domain (AAD directory).
You can try the following steps to sign in the account again in the queue a build action.
Here are the steps:
Step1: Navigate to this user Profile URL: https://aex.dev.azure.com/me?mkt=zh-CN&campaign=o~msft~old~vsts~profile
Then you could select the correct AAD directory.
Step2: Sign in your account to Azure DevOps in Azure Logic App again.
You need to check if the domain is correct.
I can't seem to authorize access to my Azure subscription in Azure DevOps to run a build whenever a commit is pushed to master. I keep getting the below error:
Also, when I click Authorize resources, it says the authorization was successful, but the next time I run the pipeline, I get the same exact error. I verified in Project settings -> Service connections that I have an active connection to the subscription.
How can I get around this issue? When I go to Deployment Center in Azure Functions and wire up the connection there, it creates a task-based pipeline, but I want to use yaml.
The above indicates the azureSubscription you specified in your azure function deployment task doesnot exist, or you didnot have the permission.
If the service connection is already correctly setup, but you still encounter above error. You can follow below to troubleshoot the issue.
1, Check your yaml pipeline.
The azure subscription is validated at compile time. If you use variables to reference the azure subscription yaml pipeline. You need to make sure the variable can be retrieved at compile time.
You can check out this thread.
2, Check the service connection security setting.
Go to project settings-->Service Connections under Pipelines--> Select your azure service connection --> More settings(3 dots)-->Security-->Try adding your pipeline to the Pipeline permissions list.
If the azure subscription service connection is not set up. You need to create an service connection of azure Resource Manager type to connect to your azure subscription. See below steps:
1, Go to project settings-->Service Connections under Pipelines--> New Service connection-->Select Azure Resource Manager--> Next
2, Then select the Authentication method. If your azure devops is connected to AAD. You can select Service principal (automatic) as Authentication method. This will automatically create a service principal in your Azure AD.
3, If you want to create new service principal. You can select Service principal (manual). See below document to create service principal in Azure
Use the portal to create an Azure Active Directory application and a service principal that can access resources
Use Azure PowerShell to create an Azure service principal with a certificate
Then enter the related information in the service connection configuration page.
After the your azure subscription service connection is created. You can use it in your yaml pipeline task by specify the service connection name. See below example:
- task: AzureFunctionApp#1
displayName: Azure Function App Deploy
inputs:
azureSubscription: myAzureSubscription
Note: You need to add the correct role assignment for above service principal to enable the service principal to deploy to your azure resources.
You must create a new connection from the task itself (you may need to use the advanced options to add an existing service principal).
under "Azure subscription" click the name of the subscription you wish to use
Click the drop down next to "Authorize" and open advanced options
Click " use the full version of the service connection dialog."
Enter all your credentials and hit save
I spent a while trying to figure out why I got the same problem. Compared my yaml to another yaml I had worked on previously and couldn't spot any problems, also verified the service connections.
But as #Levi Lu-MSFT mentions, verifying the yaml lead me to finding what caused my issue so I thought I'd share it here even though it's not 100% related:
My variables weren't indented correctly. I was a bit tired and thought DevOps was just goofing with me. So verify that your yaml is properly setup. Sometimes it can be really small things that causes these issues.
I have a release setup that I'm trying get out through Azure Devops release pipelines. This is based on another release that I've cloned and works fine.
The issue is that the template is failing a validation check and not going any further. Strange thing is i'm able to check the syntax successfully with new-AzResourceGroupDeployment and test-AzResourceGroupDeployment. It reports no errors and has been deploying fine.
Using Azure Devops release the error coming back is:
2020-02-26T12:26:16.2632844Z ==============================================================================
2020-02-26T12:26:16.2633634Z Task : ARM template deployment
2020-02-26T12:26:16.2634204Z Description : Deploy an Azure Resource Manager (ARM) template to all the deployment scopes
2020-02-26T12:26:16.2634534Z Version : 3.1.19
2020-02-26T12:26:16.2634945Z Author : Microsoft Corporation
2020-02-26T12:26:16.2635504Z Help : https://learn.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment
2020-02-26T12:26:16.2635948Z ==============================================================================
2020-02-26T12:26:16.8677026Z ARM Service Conection deployment scope - Subscription
2020-02-26T12:26:16.8760315Z Checking if the following resource group exists: myResourceGroup.
2020-02-26T12:26:17.2234188Z Resource group exists: true.
2020-02-26T12:26:17.2259290Z Creating deployment parameters.
2020-02-26T12:26:17.2558066Z The detected encoding for file 'd:\a\r1\a\_Azure-Infrastructure\myResourceGroup\deployment\azuredeploy.json' is 'utf-8'
2020-02-26T12:26:17.2561303Z The detected encoding for file 'd:\a\r1\a\_Azure-Infrastructure\myResourceGroup\deployment\param.dev.json' is 'utf-8'
2020-02-26T12:26:17.5304032Z Starting template validation.
2020-02-26T12:26:17.5304834Z Deployment name is Release-vstfs:///ReleaseManagement/Release/95
2020-02-26T12:26:17.5877973Z ##[warning]Validation errors were found in the Azure Resource Manager template. This can potentially cause template deployment to fail. Template validation failed. Error: {"message":"No HTTP resource was found that matches the request URI 'https://management.azure.com/subscriptions/mySubscription/resourcegroups/myResourceGroup/providers/Microsoft.Resources/deployments/Release-vstfs:/ReleaseManagement/Release/95/validate?api-version=2017-05-10'."}.. Please follow https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax
2020-02-26T12:26:17.5890527Z Starting Deployment.
2020-02-26T12:26:17.5891348Z Deployment name is Release-vstfs:///ReleaseManagement/Release/95
2020-02-26T12:26:17.6289831Z There were errors in your deployment. Error code: undefined.
2020-02-26T12:26:17.6291819Z ##[error][object Object]
2020-02-26T12:26:17.6295387Z ##[error]Task failed while creating or updating the template deployment.
2020-02-26T12:26:17.6399260Z ##[section]Finishing: ARM Template deployment: Resource Group scope
Looking the log above, I'm not sure if it's failing on the validation errors or on the error near the end with a undefined error code.
The task is from another subscription and it's listed in the Azure Resource Manager connection on the task and also lists the subscription and the resource groups in the subscription.
Anyone any ideas on how I can get this working or where to start troubleshooting?
your deployment name is:
Release-vstfs:/ReleaseManagement/Release/95
fairly certain that's not allowed (/). so you need to set your deployment name to something reasonable.
ps. : might not be allowed as well
Did you look at the Activity Log in Azure portal?
All deployment attempts are logged here. Look in particular at the JSON pane, often the real issue is only displayed here.
Otherwise, if it doesn't reach Azure, can you double check the service connection in Azure DevOps? (in particular the related user permission in Azure)
I'm sitting in a project where I will move from TFS to VSTS so we do have a working release definition.
But when I try deploying a service fabric cluster i get the following error:
2018-08-28T09:02:59.8922249Z ##[error]An error occurred attempting to acquire an Azure Active Directory token. Ensure that your service endpoint is configured properly with valid credentials. Error message: Exception calling "AcquireToken" with "3" argument(s): "AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '< service principle Id >'.
Trace ID: < guid1 is here >
Correlation ID: < guid2 is here >
Then I go to the azure portal -> AAD -> Sign In -> look up my specific sign in (based on correlation Id) and there it state that Sign-in status is Success
Considering this works for our TFS instance i assume the service principle is correctly set up. But since the build/deploy agents is now on a VM in azure instead of on prem for TFS, is there anything i need to change?
Traffic should be OK, i can navigate to the https-adress to the cluster from the VM with agents.
I've tried google it, but to no success so hopefully someone can point me to the right direction where to look.
And in portal, 'MFA is required' is no, so multi factor should not be neccesary.
Just try using certificate based authentication instead of using AAD Authentication in the service endpoint configuration.
Reference the same issue here: https://github.com/Microsoft/vsts-tasks/issues/7714
If that still not work, just try to create a new endpoint, then try it again.
In Release Management on Visual Studio Team Services I receive the following error:
"Code": "Conflict",
"Message": "The slot cannot be changed because its configuration settings have been prepared for swap.",
"ExtendedCode": "04081",
"MessageTemplate": "The slot cannot be changed because its configuration settings have been prepared for swap.",
From my Release management template in the "Azure Deployment" step, I have the following configuration:
Azure connection type: Azure Resource Manager
Action: Create or update Resourcegroup
Deployment mode: incremental
We have an ARM template with only appsettings we want to have applied to the production slot. the previous step in this release is a "Swap"
More info: we first release to some test slots, then a QA slot, which swaps with PROD.
This first occurred with a scheduled release (at midnight)
The slots are like this:
QA:
some steps (like blob copy),
final step: deploy a complete ARM template which creates the resources
PROD:
step 1: SWAP, with Azure App Service Manager (Preview)
step 2: ARM template with only AppSettings
Even a new build (which triggers a new release) still causes this error, any hints/clues?
I was able to figure out the root cause of this issue. If the Azure App Service Manager (Swap step) fails for some reason, in that case, Swap action does not get completed and leaves the App Service in inconsistent state.
If you go to the Azure portal and see the Overview of your App Service, 'Complete Swap' option is enabled instead of 'Swap'. Hence we should first Cancel or Complete the incomplete Swap. After doing that the deployment just works fine without this error.
We seemed to have this resolved
with only running step 2 in PROD (not perform a swap)
using another admins credentials
after trying several days
Not sure yet which one was the culprit.
The Azure App Service Manager (Preview) was used as a swap step