Was working on az ml cli v2 to deploy real-time endpoint with command az ml online-deployment through Azure pipeline. had double confirmed that the service connection used in this pipeline task had added the permissions below in Azure Portal but still showing the same error.
ERROR: Error with code: You don't have permission to alter this storage account. Ensure that you have been assigned both Storage Blob Data Reader and Storage Blob Data Contributor roles.
Using the same service connection, we are able to perform the creation of online endpoint with az ml online-endpoint create in the same and other workspaces.
Issue was resolved. I did not change anything in the service principal and running it on second day using same yml got through the issue. I guess there might be some propagation issue, but longer than usual.
Related
I'm trying to deploy an Azure Function from an Azure DevOps repo via an DevOps pipeline and release.
When it gets to the deploy stage I get an error message stating that the credentials can not be null, but knowhere in the canned release components is there a place for any credentials and none of my other pipelines ever have this problem.
I see some old references here but no clear answers.
Anyone have suggestions or fixes?
Credentials cannot be null
I can reproduce this issue in my pipeline.
The cause of the issue is that you are using the Publish Profile type Azure Resource Manager Service Connection. And Azure Function App deploy task will not able to read the credentials of the Publish Profile type service connection.
Here are two methods to solve the issue:
1.You can change to use the Azure Web App task to deploy the Function APP.
For example:
Note: Azure Web APP task can be used to deploy to Web APP and Function App.
2.You can change the Service Connection type to Service Principal.
For example:
I would like to copy files with Azure File Copy with Azure Pipeline.
I'm following instruction of https://praveenkumarsreeram.com/2021/04/14/azure-devops-copy-files-from-git-repository-to-azure-storage-account/
I'm using automatically created Service Connection named "My Sandbox (a1111e1-d30e-4e02-b047-ef6a5e901111)"
I'm getting error with AzureBlob File Copy:
INFO: Authentication failed, it is either not correct, or
expired, or does not have the correct permission ->
github.com/Azure/azure-storage-blob-go/azblob.newStorageError,
/home/vsts/go/pkg/mod/github.com/!azure/azure-storage-blob-
go#v0.10.1-0.20201022074806-
8d8fc11be726/azblob/zc_storage_error.go:42
RESPONSE Status: 403 This request is not authorized to perform
this operation using this permission.
I'm assuming that Azure Pipeline have no access to Azure Storage.
I wonder how do find service principal which should get access to Azure Storage.
I can also reproduce your issue on my side, as different Azure file copy task versions use different versions of AzCopy in behind, then they use different auth ways to call the API to do the operations.
There are two ways to fix the issue.
If you use the automatically created service connection, it should have Contributor role in your storage account, you could use Azure file copy task version 3.* instead of 4.*, then it will work.
If you want to use Azure file copy task version 4.*, navigate to your storage account -> Access Control (IAM) -> add your service principal used in the service connection as a Storage Blob Data Contributor role, see detailed steps here. It will also work.
I want to use the Azure DevOps Extension 'Power BI Actions' for uploading a report from my Azure Repo to a Power BI Workspace. I have installed the Power BI Actions extensions on my DevOps organization.
I have also created a Service Principal on my Azure Tenant and generated a client secret for the same. The Service Principal has the permissions Tenant.ReadAll and Tenant.ReadWriteAll added but they havent been given Admin grant yet.
The Service Principal has been added as an admin to the necessary Power BI Workspace as well.
I have then created a service connection using the above Service Principal for authentication purposes as username/password method on Power BI Actions Extension does not support MFA.
My end goal is to build a CI/CD Pipeline. Currently the build pipeline works as I am able to push a .pbix file to a drop container as an artifact.
The Release pipeline which only has this one task currently fails giving me an 'Unauthorized' error message and says that the workspace does not exist. I have checked multiple times. Workspace name is correct.
Could this issue be because of the API Permissions not granted? If so am I using the right permissions? Or are there any others that are required.
The link to the extension is attached here.
Thanks
I think it is not related to azure devops and only with azure, power BI.
Just my guess, please make sure that you have added the service principal to your workspace.
Also,
Service principal only supports some read-only admin APIs. To enable
service principal support for read-only admin APIs, you have to enable
the Power BI service admin settings in your tenant. For more
information, see Enable service principal authentication for read-only
admin APIs.
So you should enable the Power BI service admin settings.
Besides, you should note these tips and make sure that you did not break
So I am trying to build a Machine Learning pipeline on Azure DevOps. I followed this tutorial: https://www.azuredevopslabs.com/labs/vstsextend/aml/#author-praneet-singh-solanki
However, in Exercise 1- Step 3: Create or get workspace, I'm facing an error while authorising my Azure Subscription.
"Error: Insufficient privileges to complete the operation. Ensure that the user has permissions to create an Azure Active Directory Application."
Here is a snapshot of the problem. Also, my subscription is free tier as of now. Could that be a reason?
My subscription is free tier as of now. Could that be a reason?
No, you don't need worry about this. For free credit, we offered $200 free quota, and also the use will not be limited(just limit use depth only).
"Error: Insufficient privileges to complete the operation. Ensure that
the user has permissions to create an Azure Active Directory
Application."
This issue should caused by your incorrect role setting. Even you are owner of AAD or application, if you did not assign the role of Application administrator, you still will receive the error of permission not enough.
Please assign the role of your AD application to a Administrator permission. Go Azure Portal -> Azure Active directory-> Users, and then search your account which you will used in Azure Devops pipeline, and then follow the below setting to assign the role.
Then back to Azure Devops, refresh the Azure Subscription and Authorized again.
We currently have one DevOps repository, with a functional CI/CD pipeline. We have another website hosted on a different instance (and different region) on Azure. We are trying to use our existing repo to deploy to the other Azure instance, but it is giving is the following message:
Failed to query service connection API: 'https://management.azure.com/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d?api-version=2016-06-01'. Status Code: 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client '2317de35-b2c2-4e32-a922-e0d076a429f5' with object id '2317de35-b2c2-4e32-a922-e0d076a429f5' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d'."}}'
I have tried all of the recommended trouble-shooting, making sure that the user is in a Global Administrator role and what-not, but still not luck. The secondary Azure subscription that we are hoping to push our builds to is a trial account. I'm not sure if it being a trial account matters.
I came across the same error. It turns out that, as the error message states, the service principal didn't have Read permission over the subscription. So the solution was to go to Azure Portal, select the subscription, select IAM and assign the role Reader to my service principal. Full explanation on here:
https://clydedz.medium.com/connecting-azure-devops-with-azure-46a908e3048f
I have the same problem. There are one repository and two instances of the application on the Azure portal. For the first instance, the subscription Pay-As-You-Go is used, and there were no problems for it when creating the service connection and CI/CD settings. For the second instance, a free subscription is used and when trying to create a new service connection (Azure Resource Manager) I get the same error.
I tried to do it with the permissions of Owner and Contributor
UPD: I was helped by the re-creation of the application in the azure portal
https://learn.microsoft.com/en-ca/azure/active-directory/develop/howto-create-service-principal-portal
Another option would be to save without verification if the Service Principle will not require permissions at the Subscription level. Like for example providing access to a Keyvault.
Check if the service connection for the second instance is correctly added in project settings: