-1

I'm building CI/CD for ADLA - USQL and having azure powershell scripts for deploying this release using VSTS and facing this below error while deployment -

The user is not authorised to perform this operation on storage.

I assume since I'm deploying using vsts the release will be deployed through a build user and how do i give access to this user and where i can get the user details. Is this my VSTS login id ?? I use same id for vsts and visual studio code. Any help or suggestions will be appreciated.

Arunachalam
  • 47
  • 7
  • How do you create azure service endpoint in VSTS? Do you use your account? – starian chen-MSFT Apr 06 '18 at 05:40
  • yes i use my own account in VSTS and have created a service endpoint – Arunachalam Apr 06 '18 at 09:02
  • What's the result if you deploy it through PowerShell manually on your local machine? – starian chen-MSFT Apr 06 '18 at 09:28
  • im able to deploy the u-sql code into ADLA using the same powershell script running locally.. – Arunachalam Apr 06 '18 at 09:43
  • What's the detail code? Can you share the detail log on the OneDrive? (add system.debug variable with true value, then start release and share this log) – starian chen-MSFT Apr 09 '18 at 01:29
  • Thanks. this is my one drive link https://1drv.ms/f/s!AgPtC7C6BcwTa2kU5N4lBiFjpHE – Arunachalam Apr 09 '18 at 05:55
  • Try to refer to this article to grant the permission of related AD application https://learn.microsoft.com/en-us/azure/data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory. (Azure Active Directory > App registertions >(name likes {vsts account}-{team project name}-{guid id}) – starian chen-MSFT Apr 09 '18 at 06:36
  • I have created a service principal end point and gave Delegate permissions to my Azure Data lake store. But still facing the same issue. – Arunachalam Apr 09 '18 at 07:23
  • How do you gave delegate permissions? Provide the detail steps here. – starian chen-MSFT Apr 09 '18 at 07:25
  • I followed this link learn.microsoft.com/en-us/azure/data-lake-store/… and done the steps mentioned..but still facing the same error.. – Arunachalam Apr 09 '18 at 09:36
  • I created a Service End point and Manage Service principal. In settings --> required permission I added a permission for Azure Data lake (Delegate permissions) – Arunachalam Apr 09 '18 at 09:39
  • Which user/group you specified? – starian chen-MSFT Apr 09 '18 at 09:41
  • I'm using the same user for both VSTS and azure portal account. While creating service end point i didnt give any specific user – Arunachalam Apr 09 '18 at 13:34
  • I mean Step 3: Assign the Azure AD application to the Azure Data Lake Store account file or folder – starian chen-MSFT Apr 10 '18 at 01:25
  • In step - 3 I gave the Azure Active Directory application I created in this link - https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal – Arunachalam Apr 10 '18 at 10:12
  • no luck still. i added the user as Co-admin as well..still facing the same issue..not sure about the reason.. – Arunachalam Apr 10 '18 at 11:01
  • I can share you the screen shots of steps im following.. – Arunachalam Apr 10 '18 at 11:02
  • I have added screenshots of adding AAD app in the below link - https://1drv.ms/w/s!AgPtC7C6BcwTbWt4xw7zSInGGu4 can you pls check and let me know if I'm going wrong somewhere – Arunachalam Apr 10 '18 at 11:37
  • How did you create Azure RM endpoint in VSTS? Did you use this AAD? – starian chen-MSFT Apr 11 '18 at 01:41
  • In VSTS--Services-->New Service Endpoint -->Azure Resource manager. But I'm not sure how the AAD which i created can be used in Service end point creation. Pls let me know – Arunachalam Apr 11 '18 at 06:01
  • Three ways to create Azure RM Endpoint (https://blogs.msdn.microsoft.com/devops/2015/10/04/automating-azure-resource-group-deployment-using-a-service-principal-in-visual-studio-online-buildrelease-management/), with automated way (First way), the ADD name will be {vsts account}-{team project}-{guid id}, with the second way, the name will be VSTS.{user name}.{guid}. You need to grant the permission for the related ADD application. – starian chen-MSFT Apr 11 '18 at 07:16
  • im following the steps in the link - https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal..still not sure where im going wrong..while creating the Create an Azure Active Directory application i gave sign on url as - https://arunmyhost1.visualstudio.com/ADLAUSQL5..hope this is fine..can you go thru the document which i shared in the previous link and suggest what i need to do..And gave reader access similar to the steps shown in the link.. – Arunachalam Apr 11 '18 at 11:57
  • according to the section - Assign application to role i gave reader role for the app created – Arunachalam Apr 11 '18 at 12:30
  • The Azure Powershell task uses the selected Azure endpoint to authorization. Regarding AAD application, you can get Client ID, key etc that are used to create Azure endpoint in VSTS. So do you grant permission for that AAD application? – starian chen-MSFT Apr 12 '18 at 01:23
  • Thanks.I created a new service end point by using the Client ID, Key and Tenant id.. and in Azure Active directory--->App registration-->Settings-->Required Permissions-->Delegated permissions. I gave permissions. I hope the steps i followed are correct. But for me since I'm co-administrator for this subscription, I'm getting errors while Grant permissions. – Arunachalam Apr 12 '18 at 07:31
  • Whether co-administrator privilieges is not sufficient for granting permissions? Do i need to have administrator privileges.. – Arunachalam Apr 12 '18 at 07:33
  • What's the error? You may contact administrator to grant permission. – starian chen-MSFT Apr 12 '18 at 07:46
  • ##[errorr]Access from 'example-app1' is denied. Please grant the user with necessary roles on Azure portal. Trace: 03e7229d-e7ca-43d5-a7be-6e0a3a3b9317 Time: 2018-04-23T23:48:19.9683998-07:00.Getting this error while deploying the release using Release task. I have given Read, Write permission for this example-app1 user from my Data lake Analytics account. – Arunachalam Apr 24 '18 at 07:07
  • The similar thread: https://stackoverflow.com/questions/49995559/azure-u-sql-continous-deployment-using-vsts-powershell-task, is it your thread? Do you solve this issue? – starian chen-MSFT Apr 26 '18 at 02:03
  • Yes charian..we can mark this thread as answered.. – Arunachalam May 03 '18 at 11:14
  • Great! I post an answer that you can accept it as answer. – starian chen-MSFT May 04 '18 at 01:23

1 Answers1

0

Creating a new Azure endpoint with a new AAD application in VSTS, then grant the permission for this AAD application in Azure.

starian chen-MSFT
  • 33,174
  • 2
  • 29
  • 53