I want to use Azure DevOps to deploy to my client's on-prem computer.
I have been looking at docs on build and release agents At first I thought that maybe it was a "self-hosted agent" but after reading further I thought it might be deployment groups. that I need. However deployment groups seem to be about VMs
in Azure DevOps portal ( dev.azure.com)
Organization Settings > Agent pools > Default
download the agent
make sure to use powershell not powershell ise
Related
we have azure devops pipelines to build and deploy various projects.
Rccently, we wanted to use the "azureblog file copy" pipeline to copy some files to a blob storage.
This needs write access to the storage account over in azure.
Our administrator says that the pipeline runs as whoever manually runs the pipeline. If this is true, we would have to give all devs and users read/write access to the blog storage, which would be crazy.
I assume he is wrong, and that pipelines run as a specific designated user no matter how they were kicked off. The question is, how to find out what this user is for a given pipeine?
The "edit pipeline" has a security tab near the top, adn this lists a but of "Azure Devops groups", which are presumably groups who have the ability to run the pipelines.
But where is the pipeline user defined?
which user do Azure devops pipelines run as?
It depends on the context in which you are discussing the question.
If you mean inside a pure DevOps service, then I can tell you that the user that the pipeline runs on is not the one who triggers the pipeline (which is the case with native DevOps services by default, unless you install some weird extension or have a problem with the pipeline special design), but this identity:
<Project Name> Build Service Account
'run as someone' is just a property of pipeline run. Pipeline run as 'Build Service Account'(On the DevOps side), If you need a pipeline to download or upload an artifact, you can clearly feel this. If the account mentioned above has no permission, you can't do anything.
If you mean the user's operations based on the Azure side, then I can tell you that for native DevOps service, the 'user' that the pipeline performs operations on the Azure side is not the person who triggers the pipeline. The pipeline of DevOps service consists of multiple tasks, and tasks generally interact with other services through service connection (you can find this in Project settings).
There are many types of service connections. When interacting with services in Azure, this type is generally used:
Azure Resource Manager -> Service principal
When you create a service connection of this type on the DevOps side, Azure will also create an AAD app related to this service connection, and this ADD app corresponds to a service principal in Azure. In Azure, permissions are assigned based on service principals or users, and your DevOps pipeline's operations to Azure are based on this service principal and have nothing to do with anything else in DevOps. On the Azure side, this service principal can be considered as an Azure-side 'avatar' of the tasks of the DevOps pipeline.
If you are interacting with Azure through pure code/pure script, then please follow the logic of the script/code.
Our administrator says that the pipeline runs as whoever manually runs
the pipeline. If this is true, we would have to give all devs and
users read/write access to the blog storage, which would be crazy.
For native DevOps service, of course not. Unless this pipeline has a special design.
I believe the pipeline runs as the "agent". Who the "agent user" is will depend on, first, whether you've chosen a "Microsoft-hosted" or "self-hosted" agent to run your pipeline.
When running pipelines in Azure DevOps that are directly working with Azure Resources you need an Azure Resource Manager service connection. The credentials used to make the service connection are the credentials the pipeline will use when it runs.
You can have your administrator provide you with an Azure AD account that has the permissions you need and then use that Azure AD account to create the service connection for the pipeline. Once you have created the service connection you can use the ResourceID of that connection in place of you azureSubscription.
Here is the link to the Microsoft documentation on creating a service connection.
Here is the link to the Microsoft documentation on the Azure file copy task. To verify you can use the service connection in place of the azureSubscription.
Sorry for the noob question - I'm a developer and don't know much about Windows administration. I'm upgrading from TFS 2017 to Azure Devops Server (onPrem). This will be on a new set of boxes though so it's not an in-plaee upgrade. Right now I'm doing proof-of-concept testing on a machine not on our domain so obviously I can't add users from the domain. My question is once I install Azure Devops Server on a machine on the domain will it automatically sync with the corporate domain? I've read that that happens once an hour - I'm just wondering if there's anything I need to install/setup to make that happen.
What you need is to join the Windows server which installs Azure DevOps Server to Active Directory.
After that it will automatically sync with the corporate domain.
However, Azure DevOps use a background synchronization job, scheduled every hour, to look for changes in Active Directory (or the local machine workgroup if the server is not domain joined). So changes you make to local or Active Directory groups do not get reflected in Azure DevOps immediately. Instead, Azure DevOps will synchronize those groups regularly (by default every hour).
That's all required. After this, you could directly add domain users or groups to groups in Azure DevOps server.
You can also try to force Azure DevOps Server to sync with Active Directory by following instructions mentioned in this article: How to synchronize TFS users with AD (Active Directory)?, it's still available for current Azure DevOps Server versions.
Is there a way to require that Azure Functions be updated through an Azure pipeline, and not someone using the VSCode integration or azure functions core tools CLI?
I don't believe that there is a direct way to restrict deployment by method (AZ CLI, Az Powershell, Azure DevOps, Azure Portal, etc.), as ultimately most everything in Azure goes through REST APIs, ARM templates, etc.
What you can do is to organize your functions into a resource group or groups, to which you limit Contributor/Administrator/Owner access to the service principal associated with your Azure DevOps service connections. Allow other users the ability to read/inspect resources in that group, but only allow the service principal the right to create objects there. You may also need to allow the managed identities greater privileges to operate within that space, but the concept remains the same - limit the autonomy of interactive users in the space where your Azure Functions live.
I'm currently working on a pipeline job that requires kubernetes access through powershell.
The only issue is that I need to sign in for Az cli. For testing I'm using my personal credentials, clearly not a good definitive option. Are there any other options for Azure cli login that could be used instead?
I'm guessing you are working with hosted agents, therefore, you need to configure kube.config on the hosted agent.
in order to do that, run az aks get-credentials --name $(CLUSTER_NAME) --resource-group $(RESOURCE_GROUP_NAME). The easiest way is to use Azure CLI task. Be aware that this task required authorization from Azure DevOps to Azure.
More info can be found here.
In case you are the subscription owner- select your subscription and click on Authorize.
When the kube.config configured on the hosted agent, you can run any kubectl command you wish (Using Powershell\Bash\CMD).
Is there a way to deploy SQL Database project to Azure SQL Managed Database from Azure DevOps ? Are there ports to open on Azure Network Security Group ?
Thank you
Bertrand
No, not using Azure DevOps hosted agent. That is because a managed instance does not have a public ip address an DevOps can not find your server. If you want to use DevOps you must host your own agent on a separate VM and open up all the internal/external routing you need.
the 'Azure SQL Database Deployment' task in the release pipeline should work for you. With a service connection (Service Principal in Azure) with the correct permissions on the subscription or resource group you can write to the resources, no need to open specific ports in NSGs
This is now possible on MI and Azure DevOps.
Not sure what the NSG settings are if you have restricted access via a NSG.