I am trying to add the Azure credentials (Microsoft Azure Service Principal) on jenkins server under
Manage Jenkins -> configure System -> Add cloud -> Microsoft Azure VM Agent -> Add Azure Credentials
I have created SPN, provided contributor access at the subscription level, copied subscription ID, Application id, application secrete to create credential but When I click Verify Service Principal I am getting error invalid credentials.
Related
I have a SSL cert in my Azure key vault that I am trying to import to the correct App Service.
I am the owner of the Azure subscription and I have given the App Service GET and LIST permissions for certificates on the vault.
On my App Service I click TLS/SSL settings > Private Key Certificates (.pfx) > Import Key Vault Certificate
This is the message I receive
Another owner on the subscription is able to complete this process successfully. So I am not sure why I am not able to when we both have owner roles on the subscription?
Is anyone able to offer any suggestions please?
When you are trying the operation from Azure Portal and you are a Owner of the Subscription, then Azure by default adds a access policy for the Azure APP Service Resource Provider and you do not further require to add the any access policies for the Web App.
Example:
I created a Web App with system managed identity and a Key vault with the below added Access Policies. I am an Owner of the Subscription and a User in the Azure Active Directory.
When , I perform the import certificate operation in the TLS/SSL Settings, the access policy get automatically updated with the Azure App Service Service Principal Credential.
In your case its not able to find the details of the Resource Provider Service Principal. As a Solution you can try adding Microsoft.Azure.CertificateRegistration (i.e. ObjectId : ed47c2a1-bd23-4341-b39c-f4fd69138dd3) , Microsoft Azure App Service (Internal) (i.e. ObjectId : 505e3754-d8a9-4f8b-97b6-c3e48ac7a543) & Microsoft Azure App Service (i.e. ObjectId : f8daea97-62e7-4026-becf-13c2ea98e8b4) in access policy for key vault.
Note: If the Issue is still not resolved , Please reach out to Azure Support for better assistance.
When I run the below on my local pc via powershell it completes successfully.
Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName $resourceGroupName -ServerName $serverName -DisplayName 'AAD_GAOUAT_SQLADMIN' -ObjectId 'd9c6b5a7-079e-44b4-8911-bd0451bfb59a'
Now when I run the same command (via Azure Powershell) in DevOps, I get the below error
Any ideas why this fails from Azure DevOps?
When you run the command in devops azure powershell task, it will let you use a service connection to auth, I suppose you didn't use a correct service principal located in the correct tenant(i.e. the subscription of the sql server located).
Please follow the steps below to fix the issue.
1.In devops, navigate to the Project Settings -> Service connections -> New service connection -> Azure Resource Manager -> Service principal (manual).
If you don't have an AD App, you can also select Service principal (automatic) above, then fix the values with correct information .e.g subscription. If you select Service principal (manual), please make sure the service principal has an RBAC role in the subscription to set the sql server AAD admin e.g. Owner, Contributor.
2.After creating the service connection, click it and select Manage Service Principal.
It will open a page for the related AD App -> API permissions -> Add a permission -> add Directory.Read.All Application permission of Azure Active Directory Graph like below(Not Microsoft Graph), At last, don't forget to click Grant admin consent for xxx button.
This step is because Set-AzSqlServerActiveDirectoryAdministrator will call the AAD Graph to check the object you input, so you need to give the permission.
3.Then in the azure powershell task, select the service connection we created.
Run it, it works fine.
I have an Azure CLI script which runs perfectly well in the Cloud Shell but I run into trouble when I try to include it in a devops release pipeline. For debugging purposes I've reduced the script to simply signing-in as a Service Principal and then retrieving the version...
az login --service-principal -u http://[Service Principal name] -p [Service Principal password] --tenant [Service Principal tenant GUID]
az --version
...but it still incurs the same error.
Here are the properties of my Azure CLI task:
Script Type: Shell
Script Location: Inline script
Inline Script: [as above]
Script Arguments:
Access service principal details in script: false
Use global Azure CLI configuration: false
Working Directory:
Fail on Standard Error: false
Enabled: true
Continue on error: false*
Environment Variables:
And the error is:
2020-06-15T12:46:39.8710944Z ##[error]Error Code: [1]
2020-06-15T12:46:39.8724737Z ##[error]Error: Azure login failed
2020-06-15T12:46:39.8728448Z ##[error]Script failed with error: Get Token request returned http error: 401 and server response: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://learn.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials
Trace ID: d0f42793-739e-4ce9-9118-5049086aa800
Correlation ID: 2ad50471-9c2a-4c02-a4d0-189efad2f0c8
Timestamp: 2020-06-15 12:46:39Z","error_codes":[7000222],"timestamp":"2020-06-15 12:46:39Z","trace_id":"d0f42793-739e-4ce9-9118-5049086aa800","correlation_id":"2ad50471-9c2a-4c02-a4d0-189efad2f0c8","error_uri":"https://login.microsoftonline.com/error?code=7000222"}
I was able to authenticate as this Service Principal using the Azure Cloud Shell so I'm puzzled as to why I apparently can't do the same from within the release pipeline.
* I have tried with Continue on error: true and although the task completes the same error appears in the output.
To use the service principal in Azure CLI, no need to login manually.
For the correct way, please follow the steps below.
1.From the error message, the client secret(i.e. client key) of your service principal is expired. So you need to check it first, navigate to the azure portal -> Azure Active Directory -> App registrations -> All applications -> find the AD App related to your service principal -> Certificates & secrets -> check if the secret is expired. If it is expired, just click New client secret to create a new one and save the value.
2.In devops, navigate to the Project Settings -> Service connections -> New service connection -> Azure Resource Manager -> Service principal (manual).
Then fix the options with your service principal, you can get the values from your AD App in App registration page. The Service Principal Id is the Application (client) ID, the Service principal key is the client secret.
The Subscription Id and Subscription Name is which you want to use Azure CLI to access, you could find them in azure portal.
After input the values -> Verify -> Verify and save.
3.In your Azure CLI task -> Azure Resource Manager connection -> select the service connection in step 2. In my sample, I test to get a web app in my subscription with az webapp show --name xxxx --resource-group xxxx(Note: no need to use az login manually, it will login with the service principal which was configured in the service connection automatically).
Then run it and check the result, it works fine.
I think this is very similar to the problem i faced earlier, it happens when there is a special character in the client secret.
One workaround is to go to the Azure portal and keep generating new secrets until you get one that does not have special characters in it.
https://github.com/ansible/ansible/issues/54914
When the release is being triggered on AzureDevops, it fails on 'App Service Deployment' stage with this Error: ExpiredServicePrincipal
The error may be caused by your service principal secret was expired, the service principal is used in your service connection in DevOps org.
Navigate to the Azure Active Directory in the Azure portal, make sure you select the correct AAD tenant which the service principal belongs to, in the App registrations -> search for the client id of the service principal(you can find it in the service connection) -> find the AD App related to the service principal -> Certificates & secrets -> New client secret, then copy it and update the Service Principal Key in your service connection -> verify connection.
I am trying to setup Azure Service Manager connection from VSTS for CICD Pipeline but it is failing. I have already made below changes to Azure.
Created Application thorough Azure Active Directory
Created Secret Key (For azure service principal key)
Provided full access to user (azure account) for created application
Collected all details - client id, tenant id and subscription id
Provided all these details in VSTS to setup connection
When I click verify connection. it gives below error -
Failed to query service endpoint api:
https://management.azure.com//subscriptions/?api-version=2016-06-01.
Error Message: The remote server returned an error: (403) Forbidden..
below is screenshot of VSTS -
Please let me know if I missed anything OR guide me all required steps to complete this VSTS to Azure connection.
You need to grant the service principal Azure subscription access permission.
Login Azure portal->All service->Subscriptions->click your subscription->Access control(IAM)->Add role assignment->assign a role to your service principal
Reference:
Manage access to Azure resources using RBAC and the Azure portal