I created a pipeline which works correct. Now I want to create a release, but when I add a task, dropdown list "App service name" is empty.
If I type "App service name" manually I get en error under releasing:
2020-04-27T14:51:14.0990839Z
##[error]Error: Resource 'Blin...' doesn't exist. Resource should exist before deployment.
Can anybody explain it? Thanks!
Your subscription do not have the permission to view that app service, refer to these steps below to check it:
Go to portal.azure.com
Switch to the tenant that your subscription linked to
Click Resource groups service
Check the Subscription value of the resource group that contains your app service
Related
My requirement is to use Azure Devops services to create services connection, so I created an azure AD application in azure portal
In azure Devops project setting I created a new service connection but when I click on verify it throws me the error:
Failed to query service connection API "https://managemant.azure.com/sub/xxx?api-version=2016-06-01.status code:'status code:{"error",:{code""Authorization failed message" 'the client" with object id "does not have authorization to perform action 'microsoft.resource/sub/read,over scope'/sub/*** or scope is invalid.if access was recently granted.please refresh your credentials}}
The document I am referring to is https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#use-spn
Would appreciate any assistance on this
TIA
I tried to reproduce the same in my environment and got the same error as below:
To resolve the error, assign reader role/permission to the Azure AD Application on the subscription level like below:
Go to Azure Portal -> Subscriptions -> Select your Subscription -> Access control (IAM) -> Add role assignment
Verification is successful after assigning the role like below:
You can also assign contributor role based on your requirement.
According to the error message, you can try go to portal and find your subscription, click on Access Control (IAM) and then click on Add role assignment use the object id. And then try to create a new service connection to check if it works.
The Service Principal or Managed Identity currently you are using from Azure Devops does not have permission to create another service principal. You have to assign specific permissions for create a service principal on your Azure AD tenant. You may try providing "Application Developer" role to the ID which you are using to authenticate from Az Devops.
Please refer this MS link for reference:
Permsissions
When I try to deploy my Bicep template through a DevOps release pipeline I get the following error:
Deployment failed with multiple errors: 'Authorization failed for
template resource '1525ed81-ad25-486e-99a3-124abd455499' of type
'Microsoft.Authorization/roleDefinitions'. The client
'378da07a-d663-4d11-93d0-9c383eadcf45' with object id
'378da07a-d663-4d11-93d0-9c383eadcf45' does not have permission to
perform action 'Microsoft.Authorization/roleDefinitions/write' at
scope
'/subscriptions/8449f684-37c6-482b-8b1a-576b999c77ef/resourceGroups/rgabpddt/providers/Microsoft.Authorization/roleDefinitions/1525ed81-ad25-486e-99a3-124abd455499'.:Authorization
failed for template resource '31c1daec-7d4a-4255-8528-169fc45fc14d' of
type 'Microsoft.Authorization/roleAssignments'.
I understand through this post that I have to grant "something" the Owner or User Access Administrator role.
But I don't understand what user has the ObjectId 378da07a-d663-4d11-93d0-9c383eadcf45.
I tried to look it up with the following az CLI command, but it says that it cannot find a resource with that Id:
az ad user show --id 378da07a-d663-4d11-93d0-9c383eadcf45
The response it returns:
Resource '378da07a-d663-4d11-93d0-9c383eadcf45' does not exist or one of its queried reference-property objects are not present.
I'm a but clueless here. What do I exactly have to grant permission?
When you use service connection in DevOps pipeline, for example Azure Resource Manager service connection, it will create a service principal(app registry) on Azure portal-> Active Directory. You can find the service principal by clicking the link on service connection:
When you deploy with service connection, please make sure you have give correct permission for this service principal on target resource, like mentioned Microsoft.Authorization/roleDefinitions/write. Suggest to give contributor role on the resource. Otherwise it will reports the error in your pipeline log.
When you add the role, you will find the object id, it's different with service principal application ID or object id.
It's azure role not Azure AD role. You can find the difference in the doc.
I'm using Azure DevOps services to create service connection but getting errors.
I am trying to follow the steps outlined here
These are the steps I followed:
Add a new AAD app registration with secret.
In DevOps, from project settings create a new service connection.
Connection type: ARM
Authentication method: Serviceprincipal (manual)
Env: Azure Cloud
Scope: Subscription
Subscription Id: xxx
Subscription name: xxx
service principal id: xxx
service principal key: xxx
Tenant Id: xxx
When I click Verify, I get this error:
Failed to query service connection API:
'https://management.azure.com/subscriptions/xxx?api-version=2016-06-01'.
Status Code: 'Forbidden', Response from server:
'{"error":{"code":"AuthorizationFailed","message":"The client 'abc'
with object id 'abc' does not have authorization to perform action
'Microsoft.Resources/subscriptions/read' over scope
'/subscriptions/xxx' or the scope is invalid. If access was recently
granted, please refresh your credentials."}}'
So,
Does this mean, my app registration need to have read permission on this xxx subscription?
Can't I scope it to resource group level? If yes, how can I do that as I don't see that option in portal?
Thanks!
I tried to reproduce the same in my environment and got the same error as below:
Does this mean, my app registration needs to have read permission on this xxx subscription? Can't I scope it to resource group level?
Yes, your app registration needs to have read permission on that subscription level. You cannot scope it to resource group level as the query https://management.azure.com/subscriptions/xxx?api-version=2016-06-01 is related to subscriptions.
Read permission will be included in roles like reader, contributor and owner. For least privilege, I assigned reader role to the app like below:
Go to Azure Portal -> Subscriptions -> Your Subscription -> Access Control(IAM) -> Add role assignment -> Select Role
After assigning that role, verification is successful like below:
When you create ARM service principle (Manual) type Service Connection, you need to manually add role assignment for this service principle inside your Azure Subscription in Azure Portal.
In common, you will need to give this service principle “Contribute” role to perform the action.
Find the Overview Page of this app registration in AAD.
In your Azure Subscription page, click IAM -> Add -> Add role assignment
Select the name of this app and assign it a "Contribute" role of this Azure Subscription.
In the last 6 months I have been releasing with a pipeline in Azure DevOps, but today I receive the following error:
2019-09-25T14:24:38.4296875Z ##[section]Starting: Azure App Service Deploy: AS-ServiciosNegocio-API-UAT
2019-09-25T14:24:38.4419797Z ==============================================================================
2019-09-25T14:24:38.4419900Z Task : Azure App Service deploy
2019-09-25T14:24:38.4419986Z Description : Deploy to Azure App Service a web, mobile, or API app using Docker, Java, .NET, .NET Core, Node.js, PHP, Python, or Ruby
2019-09-25T14:24:38.4420053Z Version : 3.4.31
2019-09-25T14:24:38.4420117Z Author : Microsoft Corporation
2019-09-25T14:24:38.4420182Z Help : https://learn.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-rm-web-app-deployment
2019-09-25T14:24:38.4420291Z ==============================================================================
2019-09-25T14:24:39.1630446Z Got connection details for Azure App Service:'AS-ServiciosNegocio-API-UAT'
2019-09-25T14:24:39.3091141Z ##[error]Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'AS-ServiciosNegocio-API-UAT'. Error: Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired.
2019-09-25T14:24:39.3140156Z ##[section]Finishing: Azure App Service Deploy: AS-ServiciosNegocio-API-UAT
If your existing service connection is the "Azure Resource Manager using service principal (automatic)" type (not manual), there's a simple but non-obvious way to renew the token.
Go to the service connection's settings page in Azure Devops as described in the other answers. (<YourDevAzureProject> Bottom Left → ⚙️ Project Settings → Pipelines subhead → Service Connections)
Click Edit and then Save without making any other changes. Assuming you have the right permissions, it will automatically get a new token.
NB: for some browsers you must enable pop-ups on dev.azure.com as it attempts to login to your azure account to get a list of resource groups.
(Figured this out from this forum comment.)
From reading others' comments/posts on this thread, the Azure UI might have changed so I'm posting the steps here for the later comers. I did what ecraig12345 suggested and it worked great!
Go to the deployment pipeline where the error occurs and click on Edit
Go to "Run on agent" task > Deploy Azure App Service
Click on the Manage hyperlink next to Azure Subscription label (see screenshot below)
Click on Edit
Click Save
Steps 1 - 3
Step 4
Step 5
If you look at the error message: "Verify if the Service Principal used is valid and not expired"
While I would have preferred more information, purely based on the above the likely scenario is the Key Used for the Service Connection has expired.
Visit you Azure DevOps org. and open the related Project and click on "Project
Settings" at the bottom left of the screen.
Click edit on the service connection in Azure DevOps and Click on the
link >> "To update using an existing service principal, use the full
version of the service connection dialog."
Copy the "Service principal client ID"
Now in the Azure Portal, Clic on Azure Active Directory and then Click on "App Registrations" to search for your application with the "client ID"
Go to "Certificate and Secrets" and check if your client certificate has expired.
If the cert is expired generate a new one and copy the key.
Go back to Azure DevOps "Service Connections", Click edit on the service connection in Azure DevOps and Click on the link >> "To update using an existing service principal, use the full version of the service connection dialog."
Update Service Principal Key with the copied value, Verify connection and click ok.
This should solve your issue
Although the route to the problem wasn't exactly the same (because devops changed so much again, probably), the answer from Venura was the root cause of my issue, and I was able to solve it thanks to this info.
steps I had to take:
In devops: go to releases
click correct project
edit
click on the stage that was failing
open the run agent task to deploy (should be an azure app service deploy)
click manage azure subscription
click manage service principal
in azure portal click on the expired registration
click on the red error that is has expired
click + new client secret
copy that new key
go back to devops
click edit on the screen of service connections (where we left at step 7) - (the subscript of the title here is Azure Resource Manager using service principal (manual))
paste that copied key in the field 'Service principal key'
click 'Verify and save'
That solved the issue, to confirm it was solved I just triggered a new release, which finally got through.
I followed JamesD's answer but when I got to step 13, there was nowhere for me to put the Service Principle Key that was generated. So I went back to square one and approached it a different way. Instead of trying to reuse the existing service connection that had exired, I created a new service connection and then changed my release pipelines to use that new service connection and things worked fine.
Here were my steps:
click on Project Settings in the lower left corner
On the left nav under the "Pipelines" section, click on "Service connections"
in the upper right corner, click on the button "New service connection"
select "Azure Resource Manager" and then "Next"
select "Service principle (automatic)" (this is the recommended option)
select the subscription from the drop down.
select the resource group from the drop down
give it a good name and hit save
then authenticate with your azure portal creds
Now you have a service connection created, lets go change the pipeline to use it
Go to your pipeline for the release and edit it
click on the Stage you want to edit (aim for the # tasks link)
click on Deploy Azure App Service
under the azure subscription drop down, select your new subscription entry you created above
then you will select the App Service name in that drop down
hit save and you are good to go
Now repeat for any other stages of the pipeline or any other failing release pipelines
For some reason I cannot create a resource group for IBM cloud. The error says I can only create one resource group in a lite account. But unfortunately I do not have any group in there
Could someone give some advice how I should deal with that challenge?
When you open and activate your account, a resource group named "default" is created automatically. You cannot create another one while on lite/free plan. You would need to upgrade.
You can verify the default resource group under : Manage -> Account -> Resource groups