I'm creating new azure devops web extension, I've created new service connection of generic type (provided username and password).
Need to access username and password and make rest api call inside java script file of azure devops web extension. How to form authorization header without user interaction?
This is not available for any customized extension so far. Same as a customized task or script.
Because a Service Connection involves data shaped specifically to the
connected service (the Generic Service Connection being the exception
that proves the rule...), you won't be able to make use of strongly
typed properties in your Bash task. Instead, you may want to examine
environment variables and process the service connection data
manually.
More detail info you could kindly take a look at Josh E's reply in this question: How can a script access Service Connections? (Azure Devops Pipelines)
Related
Overview: I try to trigger an Azure DevOps 2020 Pipeline (YAML) in the event that a WorkItem of a specific type is created. So my idea I had was to create a connection between "WorkItem" -> Service Hook of Type "Web Hook" -> Service Connection of Type "Incoming Webhook" -> resource:webhook triggers the Pipeline in YAML.
My problem now is, that I could create the serviceendpoint by GUI or by API, but the documentation and the created endpoint does not make sense for me. I am running my server on-premise and the endpoint I got looks like this:
{"count":1,"value":[{"data":{},"id":"1babbef7-1edb-4b01-bf18-b6e3c309caae","name":"TestIncomingWebhook","type":"incomingwebhook","url":"https://dev.azure.com", ...
The url does not make sense to me.
I can alter the url if I use the REST API to create the endpoint by using this format
POST https://{instance}/{collection}/{project}/_apis/serviceendpoint/endpoints
as described in Microsoft Azure API Documentation.
Questions:
Why is the url that the service connection gets pointed to https://dev.azure.com while I am running on-premise from a server on a totally different url? Would that be the url I have to POST to trigger the ServiceConnection?
What must be the correct URL-Format for my local Server? Where should I point that URL to?
How can I trigger the Service Connection from curl? Do I have to use GET with a lot of parameters or POST with a JSON payload?
I would appreciate if someone could help me out on this. Perhaps someone even got a full solution on how to trigger pipelines on workitem events. I searched a lot but could not find a solution, yet.
Thanks, Peter.
I created the WebHook and ServiceConnection from the GUI like this:
WebHook Configuration Screenshot
ServiceHook Configuration Screenshot
My real problem is, that I got no feedback what the correct ServiceHook URL is. I have no idea where to point my WebHook.
Addition:
The correct URL for accessing the Incoming Webhook Service Endpoint in Azure DevOps is https://{instance}/{Collection name}/_apis/public/distributedtask/webhooks/{Service Connection name}?api-version=6.0-preview
This should be related to your machine settings, you could share the detail steps here
Since you are using Azure DevOps Server 2020, the url format for your local Server should be https://{instance}. You could open Azure DevOps Server Administration Console to check it.
It will trigger the webhook via the event you selected.
You could refer to this ticket for more details.
In addition, you could try this Logic Apps then create flow to trigger build when specific type is created
Update1
Create Service connection Incoming WebHook, eg. Web Hooks name is HookTests and Service connection name is TestHook
Create Web Hooks and enter the URL https://{instance}/{Collection name}/_apis/public/distributedtask/webhooks/{Web Hook name eg. HookTests}?api-version=6.0-preview
Create YAML build and add service connection resources in the yaml pipeline see below:
resources:
webhooks:
- webhook: MyWebhookTrigger
connection: {Service connection name, eg.TestHook}
Above steps actually do below things:
New workitem is created-->automatically Trigger Azure pipeline.
In addition, we could also add task power shell and call REST API to trigger another pipeline.
We currently have one DevOps repository, with a functional CI/CD pipeline. We have another website hosted on a different instance (and different region) on Azure. We are trying to use our existing repo to deploy to the other Azure instance, but it is giving is the following message:
Failed to query service connection API: 'https://management.azure.com/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d?api-version=2016-06-01'. Status Code: 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client '2317de35-b2c2-4e32-a922-e0d076a429f5' with object id '2317de35-b2c2-4e32-a922-e0d076a429f5' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d'."}}'
I have tried all of the recommended trouble-shooting, making sure that the user is in a Global Administrator role and what-not, but still not luck. The secondary Azure subscription that we are hoping to push our builds to is a trial account. I'm not sure if it being a trial account matters.
I came across the same error. It turns out that, as the error message states, the service principal didn't have Read permission over the subscription. So the solution was to go to Azure Portal, select the subscription, select IAM and assign the role Reader to my service principal. Full explanation on here:
https://clydedz.medium.com/connecting-azure-devops-with-azure-46a908e3048f
I have the same problem. There are one repository and two instances of the application on the Azure portal. For the first instance, the subscription Pay-As-You-Go is used, and there were no problems for it when creating the service connection and CI/CD settings. For the second instance, a free subscription is used and when trying to create a new service connection (Azure Resource Manager) I get the same error.
I tried to do it with the permissions of Owner and Contributor
UPD: I was helped by the re-creation of the application in the azure portal
https://learn.microsoft.com/en-ca/azure/active-directory/develop/howto-create-service-principal-portal
Another option would be to save without verification if the Service Principle will not require permissions at the Subscription level. Like for example providing access to a Keyvault.
Check if the service connection for the second instance is correctly added in project settings:
My requirement is, need to launch an AWS EC2 Instance through REST API while TFS running.
For that I need to register the API in TFS as Generic Service Endpoint.
I am not aware how to add the API endpoint because the endpoint contains many header values and signatures.
I hope we can pass the Signature in token.
But what need to pass for UserName?
Could anyone know how to register the AWS REST API in TFS service Endpoint.?
You should do this task via powershell script and just add a powershell step in the TFS build/release workflow. You have flexibility to run it via powershell command line without the TFS web UI. Also the script is portable. It can be invoked in TFS,Jenkins, etc.
It's not able to register aws ec2 instance API in TFS Generic Service Endpoint.
You could use a powershell script to authenticate with AWS API to launch a EC2 instance and invoke the REST API from your Build Pipeline.
Besides, you could use AWS Tools for Microsoft Visual Studio Team Services.
This tool include a new service endpoint type, AWS, to supply AWS credentials to the tasks at runtime.
It will create an AWS Credentials Connection. Select the AWS endpoint type and provide the following parameters:
A name used to refer to the credentials when configuring tasks that
require AWS credentials
AWS Access Key ID
AWS Secret Access Key
After an AWS subscription has be linked to Team Foundation Server, you could use the task deploy to Amazon EC2 with AWS CodeDeploy.
Note: Minimum supported environments
Visual Studio Team Services
Team Foundation Server 2015 Update 3 (or higher)
I have some powershell scripts in my CI server to check the state of some WebJobs.
But I have few problems.
I'm using publish settings file, but it expires and my build starts to fail.
I don't want to use a Management Certificate that will expose all management features.
And I don't want to put my user credentials on the CI server that will also expose all management features.
There is any way to create a CI user or credential with restricted permissions?
Thanks!
Azure Functions provides a good solution to this problem. You can create a Service Principle account, with certificate login and then restrict that account to whatever actions you need it to allow (via RBAC)
You can then have an Azure PowerShell script running in Functions, that is called from a webhook from your CI engine. That way the only credentials that are stored on your CI are the webhook secret, and if your CI engine has a static IP you can verify that commands only come from that address, and drop anything else.
I know how to add a co-administrator via the portal, but need a way to add it via PowerShell.
I need this method as I have lost access to the login id, but have the publish setting file so can administrator my virtual machines.
Unfortunately you can't. Azure PowerShell Cmdlets are essentially wrapper over Azure Service Management API and currently the API does not expose any method to add co-admins programmatically.
Azure have rolled out Roll Based Access Control which will allow you to automate the adding of new admins to your Azure Subscription. Intro here: https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/
You would add a new user as an Owner at the Subscription scope. These operations are available using both PowerShell and REST