I'm using Azure DevOps services to create service connection but getting errors.
I am trying to follow the steps outlined here
These are the steps I followed:
Add a new AAD app registration with secret.
In DevOps, from project settings create a new service connection.
Connection type: ARM
Authentication method: Serviceprincipal (manual)
Env: Azure Cloud
Scope: Subscription
Subscription Id: xxx
Subscription name: xxx
service principal id: xxx
service principal key: xxx
Tenant Id: xxx
When I click Verify, I get this error:
Failed to query service connection API:
'https://management.azure.com/subscriptions/xxx?api-version=2016-06-01'.
Status Code: 'Forbidden', Response from server:
'{"error":{"code":"AuthorizationFailed","message":"The client 'abc'
with object id 'abc' does not have authorization to perform action
'Microsoft.Resources/subscriptions/read' over scope
'/subscriptions/xxx' or the scope is invalid. If access was recently
granted, please refresh your credentials."}}'
So,
Does this mean, my app registration need to have read permission on this xxx subscription?
Can't I scope it to resource group level? If yes, how can I do that as I don't see that option in portal?
Thanks!
I tried to reproduce the same in my environment and got the same error as below:
Does this mean, my app registration needs to have read permission on this xxx subscription? Can't I scope it to resource group level?
Yes, your app registration needs to have read permission on that subscription level. You cannot scope it to resource group level as the query https://management.azure.com/subscriptions/xxx?api-version=2016-06-01 is related to subscriptions.
Read permission will be included in roles like reader, contributor and owner. For least privilege, I assigned reader role to the app like below:
Go to Azure Portal -> Subscriptions -> Your Subscription -> Access Control(IAM) -> Add role assignment -> Select Role
After assigning that role, verification is successful like below:
When you create ARM service principle (Manual) type Service Connection, you need to manually add role assignment for this service principle inside your Azure Subscription in Azure Portal.
In common, you will need to give this service principle “Contribute” role to perform the action.
Find the Overview Page of this app registration in AAD.
In your Azure Subscription page, click IAM -> Add -> Add role assignment
Select the name of this app and assign it a "Contribute" role of this Azure Subscription.
Related
My requirement is to use Azure Devops services to create services connection, so I created an azure AD application in azure portal
In azure Devops project setting I created a new service connection but when I click on verify it throws me the error:
Failed to query service connection API "https://managemant.azure.com/sub/xxx?api-version=2016-06-01.status code:'status code:{"error",:{code""Authorization failed message" 'the client" with object id "does not have authorization to perform action 'microsoft.resource/sub/read,over scope'/sub/*** or scope is invalid.if access was recently granted.please refresh your credentials}}
The document I am referring to is https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#use-spn
Would appreciate any assistance on this
TIA
I tried to reproduce the same in my environment and got the same error as below:
To resolve the error, assign reader role/permission to the Azure AD Application on the subscription level like below:
Go to Azure Portal -> Subscriptions -> Select your Subscription -> Access control (IAM) -> Add role assignment
Verification is successful after assigning the role like below:
You can also assign contributor role based on your requirement.
According to the error message, you can try go to portal and find your subscription, click on Access Control (IAM) and then click on Add role assignment use the object id. And then try to create a new service connection to check if it works.
The Service Principal or Managed Identity currently you are using from Azure Devops does not have permission to create another service principal. You have to assign specific permissions for create a service principal on your Azure AD tenant. You may try providing "Application Developer" role to the ID which you are using to authenticate from Az Devops.
Please refer this MS link for reference:
Permsissions
When I try to deploy my Bicep template through a DevOps release pipeline I get the following error:
Deployment failed with multiple errors: 'Authorization failed for
template resource '1525ed81-ad25-486e-99a3-124abd455499' of type
'Microsoft.Authorization/roleDefinitions'. The client
'378da07a-d663-4d11-93d0-9c383eadcf45' with object id
'378da07a-d663-4d11-93d0-9c383eadcf45' does not have permission to
perform action 'Microsoft.Authorization/roleDefinitions/write' at
scope
'/subscriptions/8449f684-37c6-482b-8b1a-576b999c77ef/resourceGroups/rgabpddt/providers/Microsoft.Authorization/roleDefinitions/1525ed81-ad25-486e-99a3-124abd455499'.:Authorization
failed for template resource '31c1daec-7d4a-4255-8528-169fc45fc14d' of
type 'Microsoft.Authorization/roleAssignments'.
I understand through this post that I have to grant "something" the Owner or User Access Administrator role.
But I don't understand what user has the ObjectId 378da07a-d663-4d11-93d0-9c383eadcf45.
I tried to look it up with the following az CLI command, but it says that it cannot find a resource with that Id:
az ad user show --id 378da07a-d663-4d11-93d0-9c383eadcf45
The response it returns:
Resource '378da07a-d663-4d11-93d0-9c383eadcf45' does not exist or one of its queried reference-property objects are not present.
I'm a but clueless here. What do I exactly have to grant permission?
When you use service connection in DevOps pipeline, for example Azure Resource Manager service connection, it will create a service principal(app registry) on Azure portal-> Active Directory. You can find the service principal by clicking the link on service connection:
When you deploy with service connection, please make sure you have give correct permission for this service principal on target resource, like mentioned Microsoft.Authorization/roleDefinitions/write. Suggest to give contributor role on the resource. Otherwise it will reports the error in your pipeline log.
When you add the role, you will find the object id, it's different with service principal application ID or object id.
It's azure role not Azure AD role. You can find the difference in the doc.
Active Directory Graph API is now fully deprecated, in favor of MS Graph API.
My company has given me my own Visual Studio Professional subscription. I also have a DevOps organization. I am the Owner role in both.
with AADG API, I could use Terraform, for example, to create Service Principals and manage roles. Service Connections in DevOps were scoped to my subscription.
Example:
## These are in my resource group
...
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
}
...
resource "azurerm_role_assignment" "kubweb_to_acr" {
scope = azurerm_container_registry.acr.id
role_definition_name = "AcrPull"
principal_id = azurerm_kubernetes_cluster.kubweb.kubelet_identity[0].object_id
}
This used to work great. Now it does not. Now I get errors like:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '3520c717-e1cc-4d0b-b021-2f93a1b05d80' with object id '3520c717-e1cc-4d0b-b021-2f93a1b05d80' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write
and
ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData
│ error: Authorization_RequestDenied: Insufficient privileges to complete the
│ operation.
Even though I own my subscription, there is a parent organization above me. My SPs get scoped to their AD where I can't manage them. I can't use "Grant Admin Consent" through MS Graph API. Also, in DevOps, when I create an ARM Service Connection, for example, I scope it to my Subscription. It never scopes to my subscription, but the parent's, and I can't change its permissions.
How do I alter my development or scope my resources so that I don't have to defer to parent organization?
What role do they need to give me so I don't have to involve them?
I'm already the owner of my subscription. How do I create these types of resources in a way that I have full control over managing them again?
Side-note, it's interesting. I can use Azure CLI and run the same commands via terminal, and I have no problems creating or altering resources. The same commands az ad sp create-for-rbac don't throw any errors at all, and it's using the same permissions and scope defined in the pipelines.
Both errors you show are due to the service principal that Terraform is running as has not been authorized to perform the action in question. (From the Azure role assignment error, we can know this is the service principal with object ID "3520c717-e1cc-4d0b-b021-2f93a1b05d80".)
To assign an Azure role to a user, group, or service principal (your first error), the service principal used by Terraform needs to be have been granted a role that includes the "Microsoft.Authorization/roleAssignments/write" operation, scoped to (at least) scope you're trying to grant the role at (e.g. the specific Azure resource, the resource group it's in, or the subscription it's in). Typically, if you need to create Azure role assignments, this is the "Owner" role. More details from Terraform in Allowing the Service Principal to manage the Subscription. If you're "Owner" of the Azure subscription, then you will be able to do this yourself.
To create Azure AD application and service principals (your second error): The service principal used by Terraform needs to be granted permission to do this in the Azure AD tenant in question. For example, the app roles (application permissions) Application.Read.All and Application.ReadWrite.OwnedBy would suffice in many cases. These are actions that take place in the Azure AD tenant, so an Azure AD administrator will need to grant this access—you cannot do this on your own if you're not an admin of the Azure AD tenant. More details from Terraform in Configuring a User or Service Principal for managing Azure Active Directory.
How do I alter my development or scope my resources so that I don't have to defer to parent organization?
You could have an entirely separate Azure AD tenant (where you'd be administrator), and point the Azure subscription to trust that tenant. This may or may not be compatible with your organization's policies and practices.
I'm already the owner of my subscription. How do I create these types of resources in a way that I have full control over managing them again?
Azure AD applications and service principals are not a part of your Azure subscription, they're in the "parent" Azure AD tenant. You (the user) probably do have permission over these objects (e.g. you're owner of them in Azure AD), but Terraform isn't running as you—it's running as a separate service principal.
Side-note, it's interesting. I can use Azure CLI and run the same commands via terminal, and I have no problems creating or altering resources. The same commands az ad sp create-for-rbac don't throw any errors at all, and it's using the same permissions and scope defined in the pipelines.
You're probably connecting to Azure CLI as yourself (i.e. your user account), instead of the service principal Terraform is using. If you connect to Azure CLI using the same service principal (e.g. az login --service-principal ...), you'd likely experience the same errors, because that service principal hasn't been granted privileges over the Azure AD tenant and the Azure subscription yet.
I hope someone can help me.
I am creating a pipeline in Azure Devops taking an existing reference yaml where I basically have a step where I need to deploy to an Azure resource function, within an Azure subscription, from which I have permissions to read, create and delete resources.
The deploy step is:
Settings
- task: AzureFunctionApp#1
inputs:
azureSubscription: 'private-suscription-dont-show-name'
appType: 'functionApp'
appName: 'chatbot-service-functions2'
package: '$(System.DefaultWorkingDirectory)/**/*.zip'
deploymentMethod: 'auto'
Basically I click on the setting option and it opens a menu for me.
I choose in the option "Azure subscription" the subscription where I have the resource that I want to deploy, the name of the subscription appears and I choose it without any problem.
At the same time that I choose the name of the subscription I get an option "Authorize" in which I click, and immediately I get an error:
Service connection with name 'private-suscription-dont-show-name' already exists. Only a user having Administrator/User role permissions on service connection 'private-suscription-dont-show-name' can see it.
My question is why can't I deploy, using autocomplete, to a resource within a subscription in which I have permission to read, create and delete resources? Do I have any other option to deploy without autocomplete?
This is related to the Security for service connections on DevOps.
The users who have Administrator or User role on a service connection can use this service connection. The Reader role can see the service connection but not use it.
If you (or the group/team you are in) are not added as a member on the User permissions of a service connection, generally you have no access to see and use this service connection in the project.
To gain the permissions on a service connection, you need to contact the Project Administrators or the Administrators on this service connection to grant you the Administrator or User role on this service connection.
We currently have one DevOps repository, with a functional CI/CD pipeline. We have another website hosted on a different instance (and different region) on Azure. We are trying to use our existing repo to deploy to the other Azure instance, but it is giving is the following message:
Failed to query service connection API: 'https://management.azure.com/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d?api-version=2016-06-01'. Status Code: 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client '2317de35-b2c2-4e32-a922-e0d076a429f5' with object id '2317de35-b2c2-4e32-a922-e0d076a429f5' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d'."}}'
I have tried all of the recommended trouble-shooting, making sure that the user is in a Global Administrator role and what-not, but still not luck. The secondary Azure subscription that we are hoping to push our builds to is a trial account. I'm not sure if it being a trial account matters.
I came across the same error. It turns out that, as the error message states, the service principal didn't have Read permission over the subscription. So the solution was to go to Azure Portal, select the subscription, select IAM and assign the role Reader to my service principal. Full explanation on here:
https://clydedz.medium.com/connecting-azure-devops-with-azure-46a908e3048f
I have the same problem. There are one repository and two instances of the application on the Azure portal. For the first instance, the subscription Pay-As-You-Go is used, and there were no problems for it when creating the service connection and CI/CD settings. For the second instance, a free subscription is used and when trying to create a new service connection (Azure Resource Manager) I get the same error.
I tried to do it with the permissions of Owner and Contributor
UPD: I was helped by the re-creation of the application in the azure portal
https://learn.microsoft.com/en-ca/azure/active-directory/develop/howto-create-service-principal-portal
Another option would be to save without verification if the Service Principle will not require permissions at the Subscription level. Like for example providing access to a Keyvault.
Check if the service connection for the second instance is correctly added in project settings: