we have azure devops pipelines to build and deploy various projects.
Rccently, we wanted to use the "azureblog file copy" pipeline to copy some files to a blob storage.
This needs write access to the storage account over in azure.
Our administrator says that the pipeline runs as whoever manually runs the pipeline. If this is true, we would have to give all devs and users read/write access to the blog storage, which would be crazy.
I assume he is wrong, and that pipelines run as a specific designated user no matter how they were kicked off. The question is, how to find out what this user is for a given pipeine?
The "edit pipeline" has a security tab near the top, adn this lists a but of "Azure Devops groups", which are presumably groups who have the ability to run the pipelines.
But where is the pipeline user defined?
which user do Azure devops pipelines run as?
It depends on the context in which you are discussing the question.
If you mean inside a pure DevOps service, then I can tell you that the user that the pipeline runs on is not the one who triggers the pipeline (which is the case with native DevOps services by default, unless you install some weird extension or have a problem with the pipeline special design), but this identity:
<Project Name> Build Service Account
'run as someone' is just a property of pipeline run. Pipeline run as 'Build Service Account'(On the DevOps side), If you need a pipeline to download or upload an artifact, you can clearly feel this. If the account mentioned above has no permission, you can't do anything.
If you mean the user's operations based on the Azure side, then I can tell you that for native DevOps service, the 'user' that the pipeline performs operations on the Azure side is not the person who triggers the pipeline. The pipeline of DevOps service consists of multiple tasks, and tasks generally interact with other services through service connection (you can find this in Project settings).
There are many types of service connections. When interacting with services in Azure, this type is generally used:
Azure Resource Manager -> Service principal
When you create a service connection of this type on the DevOps side, Azure will also create an AAD app related to this service connection, and this ADD app corresponds to a service principal in Azure. In Azure, permissions are assigned based on service principals or users, and your DevOps pipeline's operations to Azure are based on this service principal and have nothing to do with anything else in DevOps. On the Azure side, this service principal can be considered as an Azure-side 'avatar' of the tasks of the DevOps pipeline.
If you are interacting with Azure through pure code/pure script, then please follow the logic of the script/code.
Our administrator says that the pipeline runs as whoever manually runs
the pipeline. If this is true, we would have to give all devs and
users read/write access to the blog storage, which would be crazy.
For native DevOps service, of course not. Unless this pipeline has a special design.
I believe the pipeline runs as the "agent". Who the "agent user" is will depend on, first, whether you've chosen a "Microsoft-hosted" or "self-hosted" agent to run your pipeline.
When running pipelines in Azure DevOps that are directly working with Azure Resources you need an Azure Resource Manager service connection. The credentials used to make the service connection are the credentials the pipeline will use when it runs.
You can have your administrator provide you with an Azure AD account that has the permissions you need and then use that Azure AD account to create the service connection for the pipeline. Once you have created the service connection you can use the ResourceID of that connection in place of you azureSubscription.
Here is the link to the Microsoft documentation on creating a service connection.
Here is the link to the Microsoft documentation on the Azure file copy task. To verify you can use the service connection in place of the azureSubscription.
I want to perform deployments of PRs originating from a GitHub.com fork to the fork/PR authors own Azure Subscription.
I could do this by making the azureSubscription input on a deploy task dynamic in the pipeline, using the authors name from System.PullRequest.SourceBranch and configure a Service Connection with the same name for their subscription.
However, a nefarious PR author could simply change the pipeline code in the PR to target whatever azureSubscription they choose, allowing them to deploy arbitrary/unreviewed code to whatever Azure Subscription I have configured in my Azure DevOps account to use resources where they shouldn't.
How can I dynamically target fork PR deployments to the authors Azure Subscription I have configured without allowing them to target a different subscription as part of the PR by changing the pipeline code?
How do i know who executed or rerun the failed jobs in Azure devops pipeline which ws initially triggered by x user.
If you want to get Azure Pipeline build result, you can use the following rest API
GET https://dev.azure.com/{organization}/{project}/_apis/build/builds?definitions={definitions}&queues={queues}&buildNumber={buildNumber}&minTime={minTime}&maxTime={maxTime}&requestedFor={requestedFor}&reasonFilter={reasonFilter}&statusFilter={statusFilter}&resultFilter={resultFilter}&tagFilters={tagFilters}&properties={properties}&$top={$top}&continuationToken={continuationToken}&maxBuildsPerDefinition={maxBuildsPerDefinition}&deletedFilter={deletedFilter}&queryOrder={queryOrder}&branchName={branchName}&buildIds={buildIds}&repositoryId={repositoryId}&repositoryType={repositoryType}&api-version=6.0
For more details, please refer to https://learn.microsoft.com/en-us/rest/api/azure/devops/build/builds/list?view=azure-devops-rest-6.0
We have a Sonarcloud quality gate in the Pull request policy in Azure Devops. Mostly it works but sometimes it get's stuck. We added an update to the PR but is it still at status Waiting in Azure Devops. When I check Sonarcloud for this branch it says Passed.
How can I restart the gate or can I debug Sonarcloud if that e.g. has taken longer that what Azure Devops is waiting?
The reason for this was that the Personal Access Token used had expired, or at least creating a new one fixed this.
So go to https://sonarcloud.io/project/settings?category=pull_request&id=*projectkey* and change the Personal access token and queue the build.
I am using Azure Devops (formerly VSTS) releases to deploy a project.
In my release pipeline I have a power shell task that may not succeed in ways that do not indicate a deployment failure. I would like to alert users when these conditions arise.
I have suppressed the errors in the power shell script and am using them to control flow to subsequent pipeline tasks.
Is there a way include pipeline variables in the notifications Azure Devops sends when a deployment is complete?
No, the notification template is not customizable and this feature was requested: Customise VSTS email templates
But you may log your pipeline variables with powershell script: Write-Host "My var: $(my_variable)"
User-defined variables