I have Azure DevOps pipeline where one of service principals got expired.
Now my colleague created new service connection (with service principal) with new name.
I went to edit yaml in new branch. I gave new name for azureSubscription.
Then "run"
Got error "The service connection does not exist or has not been authorized for use"
I press "Authorize resources" and getting successful message.
"Run new"
Getting back to 5.point and never get pipeline executed correctly.
Make sure you use the correct service connection name. You can also navigate and enable the box grant access to all pipelines on the service connection settings.
If the problem is not resolved, I would follow the below steps:
remove the service connection
Add it again
Logout
Login and run the pipeline
Related
I'm getting an error when I try to create a pipeline in our Azure DevOps. I've created a service connection for Azure US Gov to Azure Resource Manager that seems to have verified and saved successfully. Tried different browsers / incognito mode with no luck.
Error Message...
"You don’t appear to have an active Azure subscription."
Running version 18.181.31626.1 (Azure DevOps Server 2020 Update 1.1)
I've configured the service principal with contributor access. The connection appears to verify okay in DevOps when creating the service connection. In this example I'm selecting the option for Docker, though it appears to replicate against any of the options in the list. When selecting any of the options I see the pop out window on the side state "You don’t appear to have an active Azure subscription."
Please follow these steps to troubleshoot the error "You don’t appear to have an active Azure subscription".
1.Go to https://ms.portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade to check if your subscription status is active.
2.Go to https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/TenantPropertiesBlade to check whether the Security defaults is disabled.
Note
Remember to switch to your subscription aad in the steps above.
In addition, when the user is assigned the subscription (access level above contributor) for the first time, it needs time to sync the changes when logging in to Azure DevOps.
I hope someone can help me.
I am creating a pipeline in Azure Devops taking an existing reference yaml where I basically have a step where I need to deploy to an Azure resource function, within an Azure subscription, from which I have permissions to read, create and delete resources.
The deploy step is:
Settings
- task: AzureFunctionApp#1
inputs:
azureSubscription: 'private-suscription-dont-show-name'
appType: 'functionApp'
appName: 'chatbot-service-functions2'
package: '$(System.DefaultWorkingDirectory)/**/*.zip'
deploymentMethod: 'auto'
Basically I click on the setting option and it opens a menu for me.
I choose in the option "Azure subscription" the subscription where I have the resource that I want to deploy, the name of the subscription appears and I choose it without any problem.
At the same time that I choose the name of the subscription I get an option "Authorize" in which I click, and immediately I get an error:
Service connection with name 'private-suscription-dont-show-name' already exists. Only a user having Administrator/User role permissions on service connection 'private-suscription-dont-show-name' can see it.
My question is why can't I deploy, using autocomplete, to a resource within a subscription in which I have permission to read, create and delete resources? Do I have any other option to deploy without autocomplete?
This is related to the Security for service connections on DevOps.
The users who have Administrator or User role on a service connection can use this service connection. The Reader role can see the service connection but not use it.
If you (or the group/team you are in) are not added as a member on the User permissions of a service connection, generally you have no access to see and use this service connection in the project.
To gain the permissions on a service connection, you need to contact the Project Administrators or the Administrators on this service connection to grant you the Administrator or User role on this service connection.
I have a python script that execute an automation script on remote SUT. and given that the script is working when execute locally with user tester and password xxx.
when I build the DevOps Azure pipeline I have checkout from GIT the project into the agent and then try to execute the code from the command line .
cd .\MatrixPro\TestFramework
python .\main.py -t profaund_tests.matrix_pro_rf_energy_across_impedances
this code gave me an error
E PermissionError: [WinError 5] Access is denied:
'//192.168.1.100\c$\'
seems that this script try to create report file on the SUT and doesn't have permission.
more over that the azure user agent have admin permission but I suspect that I need to change into the local user before execute the command.
note: I'm working on windows 10 .
what is the right method to solve this issue ? how can I figure out way this error occur ?
is their a simple way to change the pipeline permmision to work on local agent with local user and password?
When you run the build pipeline on Azure DevOps.
It's actually the build service account which is running the script. You should make sure the build service account have sufficient permission to Access: '//192.168.1.100\c$\'
To change the identity of the build agent, just go into Windows Services and change the identity of related Build service (service name is " Azure Pipelines Agent").
In the Services pane, right-click Azure Pipelines Agent.
Under Service Status, click Stop.
Click the Log On tab.
Specify the account you want to use for the service in the This
account text box.
Type the new password in the Password text box, and then type the
new password again in the Confirm password text box.
Under Service Status, click Start.
You should use a user to remote to that the server hold build agent and manually run the script to perform the deploy process. If that user is able to deploy succeed without any permission issue. Simply use this user as your build service account of Azure DevOps agent.
Hope this helps.
In the last 6 months I have been releasing with a pipeline in Azure DevOps, but today I receive the following error:
2019-09-25T14:24:38.4296875Z ##[section]Starting: Azure App Service Deploy: AS-ServiciosNegocio-API-UAT
2019-09-25T14:24:38.4419797Z ==============================================================================
2019-09-25T14:24:38.4419900Z Task : Azure App Service deploy
2019-09-25T14:24:38.4419986Z Description : Deploy to Azure App Service a web, mobile, or API app using Docker, Java, .NET, .NET Core, Node.js, PHP, Python, or Ruby
2019-09-25T14:24:38.4420053Z Version : 3.4.31
2019-09-25T14:24:38.4420117Z Author : Microsoft Corporation
2019-09-25T14:24:38.4420182Z Help : https://learn.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-rm-web-app-deployment
2019-09-25T14:24:38.4420291Z ==============================================================================
2019-09-25T14:24:39.1630446Z Got connection details for Azure App Service:'AS-ServiciosNegocio-API-UAT'
2019-09-25T14:24:39.3091141Z ##[error]Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'AS-ServiciosNegocio-API-UAT'. Error: Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired.
2019-09-25T14:24:39.3140156Z ##[section]Finishing: Azure App Service Deploy: AS-ServiciosNegocio-API-UAT
If your existing service connection is the "Azure Resource Manager using service principal (automatic)" type (not manual), there's a simple but non-obvious way to renew the token.
Go to the service connection's settings page in Azure Devops as described in the other answers. (<YourDevAzureProject> Bottom Left → ⚙️ Project Settings → Pipelines subhead → Service Connections)
Click Edit and then Save without making any other changes. Assuming you have the right permissions, it will automatically get a new token.
NB: for some browsers you must enable pop-ups on dev.azure.com as it attempts to login to your azure account to get a list of resource groups.
(Figured this out from this forum comment.)
From reading others' comments/posts on this thread, the Azure UI might have changed so I'm posting the steps here for the later comers. I did what ecraig12345 suggested and it worked great!
Go to the deployment pipeline where the error occurs and click on Edit
Go to "Run on agent" task > Deploy Azure App Service
Click on the Manage hyperlink next to Azure Subscription label (see screenshot below)
Click on Edit
Click Save
Steps 1 - 3
Step 4
Step 5
If you look at the error message: "Verify if the Service Principal used is valid and not expired"
While I would have preferred more information, purely based on the above the likely scenario is the Key Used for the Service Connection has expired.
Visit you Azure DevOps org. and open the related Project and click on "Project
Settings" at the bottom left of the screen.
Click edit on the service connection in Azure DevOps and Click on the
link >> "To update using an existing service principal, use the full
version of the service connection dialog."
Copy the "Service principal client ID"
Now in the Azure Portal, Clic on Azure Active Directory and then Click on "App Registrations" to search for your application with the "client ID"
Go to "Certificate and Secrets" and check if your client certificate has expired.
If the cert is expired generate a new one and copy the key.
Go back to Azure DevOps "Service Connections", Click edit on the service connection in Azure DevOps and Click on the link >> "To update using an existing service principal, use the full version of the service connection dialog."
Update Service Principal Key with the copied value, Verify connection and click ok.
This should solve your issue
Although the route to the problem wasn't exactly the same (because devops changed so much again, probably), the answer from Venura was the root cause of my issue, and I was able to solve it thanks to this info.
steps I had to take:
In devops: go to releases
click correct project
edit
click on the stage that was failing
open the run agent task to deploy (should be an azure app service deploy)
click manage azure subscription
click manage service principal
in azure portal click on the expired registration
click on the red error that is has expired
click + new client secret
copy that new key
go back to devops
click edit on the screen of service connections (where we left at step 7) - (the subscript of the title here is Azure Resource Manager using service principal (manual))
paste that copied key in the field 'Service principal key'
click 'Verify and save'
That solved the issue, to confirm it was solved I just triggered a new release, which finally got through.
I followed JamesD's answer but when I got to step 13, there was nowhere for me to put the Service Principle Key that was generated. So I went back to square one and approached it a different way. Instead of trying to reuse the existing service connection that had exired, I created a new service connection and then changed my release pipelines to use that new service connection and things worked fine.
Here were my steps:
click on Project Settings in the lower left corner
On the left nav under the "Pipelines" section, click on "Service connections"
in the upper right corner, click on the button "New service connection"
select "Azure Resource Manager" and then "Next"
select "Service principle (automatic)" (this is the recommended option)
select the subscription from the drop down.
select the resource group from the drop down
give it a good name and hit save
then authenticate with your azure portal creds
Now you have a service connection created, lets go change the pipeline to use it
Go to your pipeline for the release and edit it
click on the Stage you want to edit (aim for the # tasks link)
click on Deploy Azure App Service
under the azure subscription drop down, select your new subscription entry you created above
then you will select the App Service name in that drop down
hit save and you are good to go
Now repeat for any other stages of the pipeline or any other failing release pipelines
We currently have one DevOps repository, with a functional CI/CD pipeline. We have another website hosted on a different instance (and different region) on Azure. We are trying to use our existing repo to deploy to the other Azure instance, but it is giving is the following message:
Failed to query service connection API: 'https://management.azure.com/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d?api-version=2016-06-01'. Status Code: 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client '2317de35-b2c2-4e32-a922-e0d076a429f5' with object id '2317de35-b2c2-4e32-a922-e0d076a429f5' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d'."}}'
I have tried all of the recommended trouble-shooting, making sure that the user is in a Global Administrator role and what-not, but still not luck. The secondary Azure subscription that we are hoping to push our builds to is a trial account. I'm not sure if it being a trial account matters.
I came across the same error. It turns out that, as the error message states, the service principal didn't have Read permission over the subscription. So the solution was to go to Azure Portal, select the subscription, select IAM and assign the role Reader to my service principal. Full explanation on here:
https://clydedz.medium.com/connecting-azure-devops-with-azure-46a908e3048f
I have the same problem. There are one repository and two instances of the application on the Azure portal. For the first instance, the subscription Pay-As-You-Go is used, and there were no problems for it when creating the service connection and CI/CD settings. For the second instance, a free subscription is used and when trying to create a new service connection (Azure Resource Manager) I get the same error.
I tried to do it with the permissions of Owner and Contributor
UPD: I was helped by the re-creation of the application in the azure portal
https://learn.microsoft.com/en-ca/azure/active-directory/develop/howto-create-service-principal-portal
Another option would be to save without verification if the Service Principle will not require permissions at the Subscription level. Like for example providing access to a Keyvault.
Check if the service connection for the second instance is correctly added in project settings: