I am trying to create a Release Definition from my VSTS instance in west Europe to deploy an App in the Azure German Cloud. I tried creating an ARM Service Endpoint but it seems it tried to use by default the service management management.core.windows.net and the endpoint in Germany.
I've also tried using an Azure classic but I keep getting an authentication error: There was an error with the Azure credentials used for the deployment....the user I am using for that has owner role in my subscription. Besides Azure Classic Service Endpoint are deprecated.
Is there any way to change the environment endpoints for the Service Endpoint.
Any restrictions trying to deploy to the German cloud from a VSTS instance in west Europe?
Related
I am trying to upload build apk file in DigitalOcean by using Azure DevOps.
In AzureDevops,we have task called DigitalOcean Tools by using this we can upload the files in DigitalOcean.Below is the link for your reference.
https://marketplace.visualstudio.com/items?itemName=marcelo-formentao.digitalocean-tools&ssr=false#overview
I installed that task in my organization.
First it will ask for to create DigitalOcean Connection by using service endpoint in azure devops.
I Search in Service endpoint in Azure DevOps i didn't find Service connection for Digital Ocean(apart that I found gitlab,ssh,azure..eg i found for all these Service Connection).
My Question is which service connector i need to used for Digital Ocean?
Please help me on this
DigitalOcean Connection: It's based on AWS configuration (only Access Key ID and Secret Key ID is required).
You can choose AWS connection type to create DigitalOcean service endpoint connection in Azure DevOps. And fill the Access Key ID and Secret Key ID that you can get from your DigitalOcean.
Result
UPDATE
If you didn't find AWS end point connection, you should install AWS Toolkit for Azure DevOps extension in marketplace.Url:AWS Toolkit for Azure DevOps
After installing the extension, you would see AWS connection type in your service connection.I test in my devops and it works.
I am looking for a way to create a service account to access the Azure Devops REST API.
The goal would be that this service account would be able to list all the projects.
For now the only solution I found was to create a new user, add it to an overall admin group and create a PAT for it.
Does anyone found another way of doing so ?
Thanks in advance
PS: we have a Azure Devops Service solution
Based on your description and concern, please note that the service account in Azure DevOps Service is automatically created for you when you create an organization in Azure DevOps Services. It is used when clients communicate with the hosted service and can be viewed through the web portal administration page.
And it is not supported to manually create service Account in Azure DevOps Service.
For more information, you could refer to the doc: Service account requirements - Azure DevOps | Microsoft Docs & Service accounts and dependencies - Azure DevOps Server | Microsoft Docs .
I see that Service Connection is a link between Azure Pipelines and Azure Subscription to trigger Pipelines.
But can I create a Service Connection and get client id and secret and use that to obtain access token. And with that access token I can run the Azure Pipeline via c# code with REST APIs?
Is this what a service connection used for ?
But can I create a Service Connection and get client id and secret and
use that to obtain access token.
You can generate token via this, but you can't use it in C# code to run the pipeline.
Service connection between 'Azure Pipelines and Azure Subscription' just for you to create an app in AAD, this will also create related Enterprise App(service principal) in Azure portal side.
The service principal can be assigned permissions in the Azure portal to access resources. Once the service principal has access to a resource at the Azure Portal, the devops pipeline using the service connection associated with the service principal will also have the same access.
The original purpose of the above is service connection design is to allow the pipeline to have access to the resources at the portal.
Why we can't use the app's clientid and secret to get an access token to run the pipeline?
It is clearly in this official document:
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/authentication-guidance?view=azure-devops
The Azure DevOps API doesn't support non-interactive service access
via service principals.
Will kubernetes service connections in azure devops work with an AKS cluster that is bound to AAD via openidconnect? Logging into such clusters goes through an openidconnect flow that involves a device login + browser. How is this possible w/ azure devops k8s service connections?
Will kubernetes service connections in azure devops work with an AKS
cluster that is bound to AAD via openidconnect?
Unfortunately to say, no, this does not support until now.
According to your description, what you want to connect with in Azure Devops Kubernetes service connection is Azure Kubernetes service. This means you would select Azure Subscription in Choose authentication. BUT, this connection method is using Service Principal Authentication (SPA) to authenticate, which does not yet supported for the AKS that is bound with AAD auth.
If you connect your AKS cluster as part of your CI/CD deployment in Azure Devops, and attempt to get the cluster credentials. You would get a warning response which inform you to log in since the service principal cannot handle it:
WARNING: To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code *** to authenticate.
You should familiar with this message, it needs you open a browser to login in to complete the device code authentication manually. But this could not be achieve in Azure Devops.
There has a such feature request raised on our forum which request us expand this feature to Support non-interactive login for AAD-integrated clusters. You can vote and comment there to advance the priority of this suggestion ticket. Then it could be considered into the develop plan by our Product Manager as soon as possible.
Though it could not be achieved directly. But there has 2 work around can for you refer now.
The first work around is change the Azure DevOps authenticate itself from AAD client to the server client.
Use az aks get-credentials command and specify the parameter --admin with it. This can help with bypassing the Azure AD auth since it can let you connect and retrieve the admin credentials which can work without Azure AD.
But, I do not recommend this method because subjectively, this method is ignoring the authentication rules set in AAD for security. If you want a quick method to achieve what you want and not too worry about the security, you can try with this.
The second one is using Kubernetes service accounts
You can follow this doc to create a service account. Then in Azure Devops, we could use this service account to communicate with AKS API. Here you also need to consider about the authorized IP address ranges in AKS.
After the service account created successfully, choose Service account in the service connection of Azure Devops:
Server URL: Get it from the AKS instance(API server address) in Azure portal, then do not forget append the https:// before it while you input it into this service connection.
Secret: Generate it by using command:
kubectl get secret -n <name of secret> -o yaml -n service-accounts
See this doc: Deploy Vault on Azure Kubernetes Service (AKS).
Then you can use this service connection in Azure Devops tasks.
My requirement is, need to launch an AWS EC2 Instance through REST API while TFS running.
For that I need to register the API in TFS as Generic Service Endpoint.
I am not aware how to add the API endpoint because the endpoint contains many header values and signatures.
I hope we can pass the Signature in token.
But what need to pass for UserName?
Could anyone know how to register the AWS REST API in TFS service Endpoint.?
You should do this task via powershell script and just add a powershell step in the TFS build/release workflow. You have flexibility to run it via powershell command line without the TFS web UI. Also the script is portable. It can be invoked in TFS,Jenkins, etc.
It's not able to register aws ec2 instance API in TFS Generic Service Endpoint.
You could use a powershell script to authenticate with AWS API to launch a EC2 instance and invoke the REST API from your Build Pipeline.
Besides, you could use AWS Tools for Microsoft Visual Studio Team Services.
This tool include a new service endpoint type, AWS, to supply AWS credentials to the tasks at runtime.
It will create an AWS Credentials Connection. Select the AWS endpoint type and provide the following parameters:
A name used to refer to the credentials when configuring tasks that
require AWS credentials
AWS Access Key ID
AWS Secret Access Key
After an AWS subscription has be linked to Team Foundation Server, you could use the task deploy to Amazon EC2 with AWS CodeDeploy.
Note: Minimum supported environments
Visual Studio Team Services
Team Foundation Server 2015 Update 3 (or higher)