62

In the last 6 months I have been releasing with a pipeline in Azure DevOps, but today I receive the following error:

2019-09-25T14:24:38.4296875Z ##[section]Starting: Azure App Service Deploy: AS-ServiciosNegocio-API-UAT
2019-09-25T14:24:38.4419797Z ==============================================================================
2019-09-25T14:24:38.4419900Z Task         : Azure App Service deploy
2019-09-25T14:24:38.4419986Z Description  : Deploy to Azure App Service a web, mobile, or API app using Docker, Java, .NET, .NET Core, Node.js, PHP, Python, or Ruby
2019-09-25T14:24:38.4420053Z Version      : 3.4.31
2019-09-25T14:24:38.4420117Z Author       : Microsoft Corporation
2019-09-25T14:24:38.4420182Z Help         : https://learn.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-rm-web-app-deployment
2019-09-25T14:24:38.4420291Z ==============================================================================
2019-09-25T14:24:39.1630446Z Got connection details for Azure App Service:'AS-ServiciosNegocio-API-UAT'
2019-09-25T14:24:39.3091141Z ##[error]Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'AS-ServiciosNegocio-API-UAT'. Error: Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired.
2019-09-25T14:24:39.3140156Z ##[section]Finishing: Azure App Service Deploy: AS-ServiciosNegocio-API-UAT
Mengdi Liang
  • 17,577
  • 2
  • 28
  • 35
Ruy Ruiz
  • 614
  • 1
  • 5
  • 5
  • Welcome to stackoverflow. Please show [minimum reproducible example](https://stackoverflow.com/help/minimal-reproducible-example) to help others helping you. – Nabil Farhan Sep 26 '19 at 00:29

5 Answers5

99

If your existing service connection is the "Azure Resource Manager using service principal (automatic)" type (not manual), there's a simple but non-obvious way to renew the token.

Go to the service connection's settings page in Azure Devops as described in the other answers. (<YourDevAzureProject> Bottom Left → ⚙️ Project Settings → Pipelines subhead → Service Connections)

Click Edit and then Save without making any other changes. Assuming you have the right permissions, it will automatically get a new token.

NB: for some browsers you must enable pop-ups on dev.azure.com as it attempts to login to your azure account to get a list of resource groups.

(Figured this out from this forum comment.)

Chris F Carroll
  • 11,146
  • 3
  • 53
  • 61
ecraig12345
  • 2,328
  • 1
  • 19
  • 26
  • 20
    To all other readers of this thread, please read ecraig12345's answer to save yourself an awful lot of hassle. – Christopher Thomas Jul 28 '20 at 05:44
  • 3
    This solved the error for me and regenerated the token! Easy... – Dmitri M Aug 31 '20 at 22:44
  • Perfect answer, thank you sooooooo much! Post Xmas/New Year disaster with expired tokens and this fixed it in minutes. Thank you! – Cydaps Jan 04 '22 at 11:18
  • 1
    It's crazy that this isn't officially documented anywhere. I spent hours trying to find issues with my app service and service principal, and, ultimately, all that was needed was a few clicks in Azure DevOps. – Thomas Higginbotham Mar 30 '22 at 18:25
  • It seems like [it is documented here](https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-rm-endpoint?view=azure-devops#autoCreatedSecretExpiration) - although this suggests you may also need to click the Verify button. – Craig Brown Apr 01 '22 at 16:31
  • Thank you, saved a lot of time! – Sergey Anisimov Jul 14 '22 at 22:48
  • I had to edit the description and then save for this to work, found the solution here. https://developercommunity.visualstudio.com/t/service-connection-refresh-breaking-ci-pipeline/1177519 – WooHoo Sep 22 '22 at 14:28
27

From reading others' comments/posts on this thread, the Azure UI might have changed so I'm posting the steps here for the later comers. I did what ecraig12345 suggested and it worked great!

  1. Go to the deployment pipeline where the error occurs and click on Edit
  2. Go to "Run on agent" task > Deploy Azure App Service
  3. Click on the Manage hyperlink next to Azure Subscription label (see screenshot below)
  4. Click on Edit
  5. Click Save

Steps 1 - 3 enter image description here

Step 4 enter image description here

Step 5

enter image description here

NKD
  • 1,039
  • 1
  • 13
  • 24
16

If you look at the error message: "Verify if the Service Principal used is valid and not expired"

While I would have preferred more information, purely based on the above the likely scenario is the Key Used for the Service Connection has expired.

  • Visit you Azure DevOps org. and open the related Project and click on "Project Settings" at the bottom left of the screen.

  • Click edit on the service connection in Azure DevOps and Click on the link >> "To update using an existing service principal, use the full version of the service connection dialog."

  • Copy the "Service principal client ID"

  • Now in the Azure Portal, Clic on Azure Active Directory and then Click on "App Registrations" to search for your application with the "client ID"

  • Go to "Certificate and Secrets" and check if your client certificate has expired.

  • If the cert is expired generate a new one and copy the key.

  • Go back to Azure DevOps "Service Connections", Click edit on the service connection in Azure DevOps and Click on the link >> "To update using an existing service principal, use the full version of the service connection dialog."

  • Update Service Principal Key with the copied value, Verify connection and click ok.

  • This should solve your issue

enter image description here

Venura Athukorala
  • 700
  • 5
  • 12
  • Thanks, the key was "expired", i Updated the "Service Principal Key " and got green "Veryfied" message, but still get the same error mesage when i deploy, and then when i get back to the Azure DevOps "Service conection" i get the failed message again.. – Ruy Ruiz Oct 01 '19 at 19:25
  • I just realize that the "ok" button when i "Update Service Principal Key with the copied value" is gray... i am a OWNER of the service.. do i need another role? – Ruy Ruiz Oct 01 '19 at 20:05
  • @RuyRuiz you will probably need application developer role in you Azure Active Directory. (sorry I missed this question as I was not tagged) – Venura Athukorala Mar 03 '20 at 05:13
  • 4
    This does not work, there is no option to 'Update Service Principal Key with the copied value' – johnstaveley Nov 02 '20 at 10:47
  • The UI of Azure DevOps may have changed. But the steps are the same. https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml – Venura Athukorala Nov 04 '20 at 01:59
  • for me, I'm getting error when I try to save it. I just tried to replace it with new one and same subscription used. I renamed it to the same name after I delete the existing one – aj go Jul 23 '21 at 13:13
10

Although the route to the problem wasn't exactly the same (because devops changed so much again, probably), the answer from Venura was the root cause of my issue, and I was able to solve it thanks to this info.

steps I had to take:

  1. In devops: go to releases
  2. click correct project
  3. edit
  4. click on the stage that was failing
  5. open the run agent task to deploy (should be an azure app service deploy)
  6. click manage azure subscription
  7. click manage service principal
  8. in azure portal click on the expired registration
  9. click on the red error that is has expired
  10. click + new client secret
  11. copy that new key
  12. go back to devops
  13. click edit on the screen of service connections (where we left at step 7) - (the subscript of the title here is Azure Resource Manager using service principal (manual))
  14. paste that copied key in the field 'Service principal key'
  15. click 'Verify and save'

That solved the issue, to confirm it was solved I just triggered a new release, which finally got through.

James D
  • 1,975
  • 2
  • 17
  • 26
  • 5
    When I am on the screen of the service connections and I click Edit, I don't see a field called Service Principle Key anywhere. I see: Subscription, Resource Group and a button to verify. Below that is the service connection name and an optional description. – Greg Veres May 28 '20 at 16:25
  • You shouldn't click edit on that step. In that screen of the service connections you should click 'Manage service principal' under details of the azure resource manager – James D May 28 '20 at 16:49
  • 1
    Yea on my "Edit service connection" screen (step 13/14) I do not have a "Service principle key" field.Your directions were great up to that step. My service connection must be a different type than yours. – Greg Veres May 29 '20 at 21:54
  • Must be, because on my service connection, under the tab *Authentication*, third input field is *Service principal key*. Note that the title subscript of **Edit service connection** is *Azure Resource Manager using service principal (manual)*, perhaps that's different – James D May 30 '20 at 08:57
7

I followed JamesD's answer but when I got to step 13, there was nowhere for me to put the Service Principle Key that was generated. So I went back to square one and approached it a different way. Instead of trying to reuse the existing service connection that had exired, I created a new service connection and then changed my release pipelines to use that new service connection and things worked fine.

Here were my steps:

  1. click on Project Settings in the lower left corner
  2. On the left nav under the "Pipelines" section, click on "Service connections"
  3. in the upper right corner, click on the button "New service connection"
  4. select "Azure Resource Manager" and then "Next"
  5. select "Service principle (automatic)" (this is the recommended option)
  6. select the subscription from the drop down.
  7. select the resource group from the drop down
  8. give it a good name and hit save
  9. then authenticate with your azure portal creds
  10. Now you have a service connection created, lets go change the pipeline to use it
  11. Go to your pipeline for the release and edit it
  12. click on the Stage you want to edit (aim for the # tasks link)
  13. click on Deploy Azure App Service
  14. under the azure subscription drop down, select your new subscription entry you created above
  15. then you will select the App Service name in that drop down
  16. hit save and you are good to go

Now repeat for any other stages of the pipeline or any other failing release pipelines

Greg Veres
  • 1,770
  • 19
  • 28
  • This worked for me with one exception: Your service connection has to be in the same resource group as your target application, otherwise the app won't appear in the "App name" dropdown for the deployment task. – John Aug 08 '21 at 21:21