I am planning to migrate my work to Azure Stack Hub. Can someone please let me know whether I can use Azure DevOps Services in Azure Stack Hub. If so please advise me on how to.
Thanks
If your Azure Stack Management URLs are not public, you'll need a Self-hosted Agent on-prem or somewhere that it can see the Azure Stack Management URLs.
The Self-Host agent will need the Azure Stack Environments created for your Azure Stack Hub e.g. AzureStackUser and/or AzureStackAdmin using the appropriate Management URL.
In Azure DevOps, create a New Service Connection for Azure Resource Manager, but make sure the Environment is set to Azure Stack.
The Server Url must be to one of the Management URLs of your Azure Stack that match the Environment you configure. This depends on what you're doing.
For Admin related configuration:
Use the Admin Management URL e.g. https:///adminmanagement.local.azurestack.external
Set the Subscription ID and Subscription Name to the Default Subscription on the Azure Stack Hub
Enter the Service Principal and Connection Details
For User related configuration:
Use the Management URL e.g. https:///management.local.azurestack.external
Set the Subscription ID and Subscription Name to the User Subscription defined on the Azure Stack Hub
Enter the Service Principal and Connection Details
NOTE: The Service Principal must have the appropriate Role on either the Default Subscription or the User Subscriptions.
Don't verify the Connection, unless the Management URLs are accessible publically
Hope this helps.
Related
i am implementing CI/CD pipeline that needs to register an AAD Application with permissions to read/write into Site collections, this would mean that the pipeline itself need to have permission to 'Sites.FullControl.All'. I want to understand from the security perspective, if this is desirable, i.e., a pipeline having FullControl access to a SharePoint tenant. What are the recommended practices w.r.t. this, will the application registration in such scenarios be manually done by Ops team?
According to your description, it seems that you want to use the service connection in the Azure CI/CD pipeline.
We can create a service connection with Service principal (automatic) or Service principal (manual).
Use the following parameters to define and secure a connection to a Microsoft Azure subscription using Service Principal Authentication (SPA) or an Azure managed Service Identity.
Automated subscription detection. In this mode, Azure Pipelines
queries Azure for all of the subscriptions and instances to which you
have access. They use the credentials you're currently signed in with
in Azure Pipelines (including Microsoft accounts and School or Work
accounts).
If you don't see the subscription you want to use, sign out of Azure Pipelines and sign in again using the appropriate account credentials.
Manual subscription pipeline. In this mode, you must specify the
service principal you want to use to connect to Azure. The service
principal specifies the resources and the access levels that are
available over the connection.
For more information, you could refer to Azure Resource Manager service connection.
we use a devops artifact feed to store our packed/shaded java binaries inside a private project. Now we would like to allow access to certain artifacts for externals.
We will promote these artifacts to a custom view (#public-releases) and want to allow access to this view for certain customers only (s.t. they can use it in their automation).
Is it possible to have some kind of service-account/service-principal to assign read-permissions in devops?
I know it the other way round (give devops access to azure ressources via service connections), but now I want to permit access to Devops Feeds.
How would I create such a User? We have azure AD connected, so maybe that is an option?
Is it possible to have some kind of service-account/service-principal
to assign read-permissions in devops?
No, no such design.
Service principal of Azure Active Directory concept can not be managed as an account in DevOps side(DevOps doesn't have such account type, only internal service principal, no AAD service principal).
As you know, service principal of AAD can manage access to services in azure portal. This is the usual usage. Another usage is Authenticate with Azure Active Directory (Azure AD) tokens, this approach can be used to manage PAT of DevOps, but anyway you end up needing to access the feed based on a legitimate account under the DevOps concept.
I am looking for a way to create a service account to access the Azure Devops REST API.
The goal would be that this service account would be able to list all the projects.
For now the only solution I found was to create a new user, add it to an overall admin group and create a PAT for it.
Does anyone found another way of doing so ?
Thanks in advance
PS: we have a Azure Devops Service solution
Based on your description and concern, please note that the service account in Azure DevOps Service is automatically created for you when you create an organization in Azure DevOps Services. It is used when clients communicate with the hosted service and can be viewed through the web portal administration page.
And it is not supported to manually create service Account in Azure DevOps Service.
For more information, you could refer to the doc: Service account requirements - Azure DevOps | Microsoft Docs & Service accounts and dependencies - Azure DevOps Server | Microsoft Docs .
we have azure devops pipelines to build and deploy various projects.
Rccently, we wanted to use the "azureblog file copy" pipeline to copy some files to a blob storage.
This needs write access to the storage account over in azure.
Our administrator says that the pipeline runs as whoever manually runs the pipeline. If this is true, we would have to give all devs and users read/write access to the blog storage, which would be crazy.
I assume he is wrong, and that pipelines run as a specific designated user no matter how they were kicked off. The question is, how to find out what this user is for a given pipeine?
The "edit pipeline" has a security tab near the top, adn this lists a but of "Azure Devops groups", which are presumably groups who have the ability to run the pipelines.
But where is the pipeline user defined?
which user do Azure devops pipelines run as?
It depends on the context in which you are discussing the question.
If you mean inside a pure DevOps service, then I can tell you that the user that the pipeline runs on is not the one who triggers the pipeline (which is the case with native DevOps services by default, unless you install some weird extension or have a problem with the pipeline special design), but this identity:
<Project Name> Build Service Account
'run as someone' is just a property of pipeline run. Pipeline run as 'Build Service Account'(On the DevOps side), If you need a pipeline to download or upload an artifact, you can clearly feel this. If the account mentioned above has no permission, you can't do anything.
If you mean the user's operations based on the Azure side, then I can tell you that for native DevOps service, the 'user' that the pipeline performs operations on the Azure side is not the person who triggers the pipeline. The pipeline of DevOps service consists of multiple tasks, and tasks generally interact with other services through service connection (you can find this in Project settings).
There are many types of service connections. When interacting with services in Azure, this type is generally used:
Azure Resource Manager -> Service principal
When you create a service connection of this type on the DevOps side, Azure will also create an AAD app related to this service connection, and this ADD app corresponds to a service principal in Azure. In Azure, permissions are assigned based on service principals or users, and your DevOps pipeline's operations to Azure are based on this service principal and have nothing to do with anything else in DevOps. On the Azure side, this service principal can be considered as an Azure-side 'avatar' of the tasks of the DevOps pipeline.
If you are interacting with Azure through pure code/pure script, then please follow the logic of the script/code.
Our administrator says that the pipeline runs as whoever manually runs
the pipeline. If this is true, we would have to give all devs and
users read/write access to the blog storage, which would be crazy.
For native DevOps service, of course not. Unless this pipeline has a special design.
I believe the pipeline runs as the "agent". Who the "agent user" is will depend on, first, whether you've chosen a "Microsoft-hosted" or "self-hosted" agent to run your pipeline.
When running pipelines in Azure DevOps that are directly working with Azure Resources you need an Azure Resource Manager service connection. The credentials used to make the service connection are the credentials the pipeline will use when it runs.
You can have your administrator provide you with an Azure AD account that has the permissions you need and then use that Azure AD account to create the service connection for the pipeline. Once you have created the service connection you can use the ResourceID of that connection in place of you azureSubscription.
Here is the link to the Microsoft documentation on creating a service connection.
Here is the link to the Microsoft documentation on the Azure file copy task. To verify you can use the service connection in place of the azureSubscription.
We currently have one DevOps repository, with a functional CI/CD pipeline. We have another website hosted on a different instance (and different region) on Azure. We are trying to use our existing repo to deploy to the other Azure instance, but it is giving is the following message:
Failed to query service connection API: 'https://management.azure.com/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d?api-version=2016-06-01'. Status Code: 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client '2317de35-b2c2-4e32-a922-e0d076a429f5' with object id '2317de35-b2c2-4e32-a922-e0d076a429f5' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d'."}}'
I have tried all of the recommended trouble-shooting, making sure that the user is in a Global Administrator role and what-not, but still not luck. The secondary Azure subscription that we are hoping to push our builds to is a trial account. I'm not sure if it being a trial account matters.
I came across the same error. It turns out that, as the error message states, the service principal didn't have Read permission over the subscription. So the solution was to go to Azure Portal, select the subscription, select IAM and assign the role Reader to my service principal. Full explanation on here:
https://clydedz.medium.com/connecting-azure-devops-with-azure-46a908e3048f
I have the same problem. There are one repository and two instances of the application on the Azure portal. For the first instance, the subscription Pay-As-You-Go is used, and there were no problems for it when creating the service connection and CI/CD settings. For the second instance, a free subscription is used and when trying to create a new service connection (Azure Resource Manager) I get the same error.
I tried to do it with the permissions of Owner and Contributor
UPD: I was helped by the re-creation of the application in the azure portal
https://learn.microsoft.com/en-ca/azure/active-directory/develop/howto-create-service-principal-portal
Another option would be to save without verification if the Service Principle will not require permissions at the Subscription level. Like for example providing access to a Keyvault.
Check if the service connection for the second instance is correctly added in project settings: