I'm sitting in a project where I will move from TFS to VSTS so we do have a working release definition.
But when I try deploying a service fabric cluster i get the following error:
2018-08-28T09:02:59.8922249Z ##[error]An error occurred attempting to acquire an Azure Active Directory token. Ensure that your service endpoint is configured properly with valid credentials. Error message: Exception calling "AcquireToken" with "3" argument(s): "AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '< service principle Id >'.
Trace ID: < guid1 is here >
Correlation ID: < guid2 is here >
Then I go to the azure portal -> AAD -> Sign In -> look up my specific sign in (based on correlation Id) and there it state that Sign-in status is Success
Considering this works for our TFS instance i assume the service principle is correctly set up. But since the build/deploy agents is now on a VM in azure instead of on prem for TFS, is there anything i need to change?
Traffic should be OK, i can navigate to the https-adress to the cluster from the VM with agents.
I've tried google it, but to no success so hopefully someone can point me to the right direction where to look.
And in portal, 'MFA is required' is no, so multi factor should not be neccesary.
Just try using certificate based authentication instead of using AAD Authentication in the service endpoint configuration.
Reference the same issue here: https://github.com/Microsoft/vsts-tasks/issues/7714
If that still not work, just try to create a new endpoint, then try it again.
Related
I have an Azure Windows 10 VM (Standard D2as v4 (2 vcpus, 8 GiB memory)). I have tried using the automated tasks section to start this VM up and shut it down automatically. However, the auto start task repeatedly fails. I do not understand why. Here is the error that I have found:
Unauthorized!
{
"error": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxx/'. It must match the tenant 'https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxx/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
I do not understand what is going on at all am afraid. If someone could please explain and help resolve!
Thanks!
I have tried in my environment and got below results:
Initially I have created Virtual machine in my environment and added two tasks like Azure start VM and Azure stop VM
Task1 - start VM
Home -> Virtual machine -> Automation -> task
I have Authenticated connection both Azure VM (azurevm) and Office 365 Outlook (office365)
Configuration:
After created task1 it will appears on the Tasks list.
After the selected task runs, you get an email that looks like this example:
In the tasks list-> task1->In that task's Runs column, select View.
Task2 - Stop VM
Similar process which I took to reproduce:
Mail:
View:
{ "error": { "code": "InvalidAuthenticationTokenTenant", "message": "The access token is from the wrong issuer
'https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxx/'. It must match the tenant 'https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxx/' associated with this subscription. Please use the authority (URL)'https://login.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."} }
The above error occurs due to not have enough permission.
You must have certain permissions to enable VMs for the Start&Stop VMs.
Kindly check and make sure you have role of Contributor to your logic app.
In permission they has some of the pre-existing Automation account and new Automation account for log analytics workspace kindly check the below reference link.
Logic app:
logic app -> task1->Run history
Reference:
https://learn.microsoft.com/en-us/azure/automation/automation-solution-vm-management
Azure Logic App: Azure VM Connector - InvalidAuthenticationTokenTenant - Microsoft Q&A
I'm deploying an ARM template within an Azure Devops release pipeline. Amongst others, the ARM template looks up the connection string of an existing AppConfiguration instance and outputs it for use in a next step where I set the configuration of a resource.
This has worked fine for the first couple of releases. Since this week however I'm getting the following error:
AuthorizationFailed: The client 'adb4-etc' with object id 'adb4-etc' does not have authorization to perform action 'Microsoft.AppConfiguration/configurationStores/listKeys/action' over scope '/subscriptions/{guid}/resourcegroups/{rgname}/providers/Microsoft.AppConfiguration/configurationStores/{appConfigname}' or the scope is invalid. If access was recently granted, please refresh your credentials.
Just to be sure the problem isn't with the ARM template, I deployed it in the Azure portal using 'Deploy a custom template' and it worked fine, outputting the connection string to the AppConfiguration. However there it used my personal user account for authentication, of course.
The pipeline uses a service connection that is connected to a principal that does not have the client ID starting with adb4, and there is no principal (user, app registration, enterprise application) in our Azure AD that even starts with adb4. So in that sense the error is correct, but why is Azure Devops authenticating with this unknown principal?
The service connection principal has the Contributor role on the applicable AppConfiguration instance. This access was granted weeks ago.
I can't seem to authorize access to my Azure subscription in Azure DevOps to run a build whenever a commit is pushed to master. I keep getting the below error:
Also, when I click Authorize resources, it says the authorization was successful, but the next time I run the pipeline, I get the same exact error. I verified in Project settings -> Service connections that I have an active connection to the subscription.
How can I get around this issue? When I go to Deployment Center in Azure Functions and wire up the connection there, it creates a task-based pipeline, but I want to use yaml.
The above indicates the azureSubscription you specified in your azure function deployment task doesnot exist, or you didnot have the permission.
If the service connection is already correctly setup, but you still encounter above error. You can follow below to troubleshoot the issue.
1, Check your yaml pipeline.
The azure subscription is validated at compile time. If you use variables to reference the azure subscription yaml pipeline. You need to make sure the variable can be retrieved at compile time.
You can check out this thread.
2, Check the service connection security setting.
Go to project settings-->Service Connections under Pipelines--> Select your azure service connection --> More settings(3 dots)-->Security-->Try adding your pipeline to the Pipeline permissions list.
If the azure subscription service connection is not set up. You need to create an service connection of azure Resource Manager type to connect to your azure subscription. See below steps:
1, Go to project settings-->Service Connections under Pipelines--> New Service connection-->Select Azure Resource Manager--> Next
2, Then select the Authentication method. If your azure devops is connected to AAD. You can select Service principal (automatic) as Authentication method. This will automatically create a service principal in your Azure AD.
3, If you want to create new service principal. You can select Service principal (manual). See below document to create service principal in Azure
Use the portal to create an Azure Active Directory application and a service principal that can access resources
Use Azure PowerShell to create an Azure service principal with a certificate
Then enter the related information in the service connection configuration page.
After the your azure subscription service connection is created. You can use it in your yaml pipeline task by specify the service connection name. See below example:
- task: AzureFunctionApp#1
displayName: Azure Function App Deploy
inputs:
azureSubscription: myAzureSubscription
Note: You need to add the correct role assignment for above service principal to enable the service principal to deploy to your azure resources.
You must create a new connection from the task itself (you may need to use the advanced options to add an existing service principal).
under "Azure subscription" click the name of the subscription you wish to use
Click the drop down next to "Authorize" and open advanced options
Click " use the full version of the service connection dialog."
Enter all your credentials and hit save
I spent a while trying to figure out why I got the same problem. Compared my yaml to another yaml I had worked on previously and couldn't spot any problems, also verified the service connections.
But as #Levi Lu-MSFT mentions, verifying the yaml lead me to finding what caused my issue so I thought I'd share it here even though it's not 100% related:
My variables weren't indented correctly. I was a bit tired and thought DevOps was just goofing with me. So verify that your yaml is properly setup. Sometimes it can be really small things that causes these issues.
I am trying to deploy an Azure Web App through a Jenkins scripted pipeline using the Azure App Service Plugin. This is my deploy-command (GUIDs have been changed):
azureWebAppPublish azureCredentialsId: 'a0774bb6-e471-47s9-92dc-5aa7b4t683e8', resourceGroup: 'my-demo-app', appName: 'MY-DEMO-APP', filePath: 'public/*, package.json'
When running the script I get the following error:
The client '03a1b3f9-a6fb-48bd-b016-4e37ec712f14' with object id '03a1b3f9-a6fb-48bd-b016-4e37ec712f14' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/81fd39sw-3d28-454c-bc78-abag45r5d4d4/resourceGroups/my-demo-app/providers/Microsoft.Web/sites/MY-DEMO-APP' or the scope is invalid. If access was recently granted, please refresh your credentials.
The strange thing is, the ID of this "client" that's missing authorization does not appear anywhere in the build plan. It's neither the ID or a part of the service principal nor the ID of the Container Registry credentials. It also doesn't appear on the machine that executes the build (I checked both the GUID of the mother board and the windows installation). Also the term client is not used for any part of the build plan, so I don't really know what's the actual issue in this case.
Please check out this tutorial that explains how to Set up continuous integration and deployment to Azure App Service with Jenkins and One of the best method to deploy to Azure Web App (Windows) from Jenkins : https://learn.microsoft.com/en-us/azure/jenkins/java-deploy-webapp-tutorial
To find the Azure AD user with the object id '03a1b3f9-a6fb-48bd-b016-4e37ec712f14', go to Azure portal, open Cloud Shell and run
Get-AzureADUser -ObjectId '03a1b3f9-a6fb-48bd-b016-4e37ec712f14'
To diagnose or troubleshoot the issue, go to Azure Portal -> Resource Groups -> my-demo-app -> MY-DEMO-APP -> Access control (IAM) -> Role assignments -> and then search for above found AD User and check if that user has atleast read permission.
Hope this helps!
Currently, trying to configure a release pipeline in Azure Devops. I've successfully created a CI pipeline that is working and running tests successfully. My release pipeline uses the artifacts from latest the CI build and should be deploying to azure. When I look at the logs I can see the the following were completed successfully:
Initialize Agent
Initialize job
Download arifact
and then the "Deploy to Azure App Service" fails with the logs showing the following details:
2019-02-07T19:06:57.5433805Z Got service connection details for Azure App Service:'MyApp'
2019-02-07T19:06:57.5487495Z ##[error]Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'MyAPP'. Error: Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request
2019-02-07T19:06:57.5496340Z Failed to add release annotation. TypeError: Cannot read property 'getApplicationSettings' of undefined
I haven't been able to find much to help with this so far. I created the release pipeline by selecting Azure App Service deployment from the templates for stage 1 of the pipline (I only have one stage) and I added an artifact who's source is from my build pipeline. I then selected the Tasks tab and selected my Pay-as-you-go subscription under "Available Azure Service Connections". After selecting my subscription, my app service name became available in the "App service name" dropdown and I selected it. I then hit save and tried to create a release but every release fails with the above error message.
What can I do to overcome this?
Finally found a solution to my issue. The problem was in the way I set up my service connection. I went to:
project settings -> service connections -> new service connection -> selected azure resource manager -> selected service principal authentication INSTEAD OF managed identity authentication -> a popup came up that allowed me to log in and authorize.
Then I used that service connection when creating the release pipeline instead of the pre-existing Pay-As-You-Go subscription that I used last time.
Previously when I tried this, I had an adblocker running and it blocked the popup which allowed me to authorize when I selected service principal authentication. That resulted in an "Unable to authorize account" error message which is why I went with managed identity authentication in the first place.
In my case, it was related to a chrome extension I have added 'enable CORS' plugin. After disabling, release pipeline worked nicely