Azure Build Pipeline - How to Grant Access to Storage Accounts?

Question

Goal:

Securely get Azure resources by tag from Azure pipeline.

Details:

I have an azure-pipelines.yaml that builds a static website and saves it to a hard-coded storage account. This is a security vulnerability.

I now need to update the file to handle blue-green deployments, azure-pipelines.yaml will need to get the storage account that's tagged as the current production storage account, i.e. something like (just a bash script)

prod_storage_acct_name=$(az resource list --is_prod=true --query [0].name)

This works, BUT, it requires a prior az login -u $un -p $pwd, which I test with my user. Obviously I am not going to put my personal user in the pipeline, so the questions are...

Questions:

Is the best way to get an Azure pipeline access to another resource a service principal acct?
Do pipelines have some built in way to configure their access WITHOUT specifying a distinct service principal, since they are "built in" Azure processes? (Get own Service Principal Name in an Azure DevOps Powershell pipeline task seems to imply that a service principal is built in)
Is there some better way to do this that I am completely missing?

IF I need to go with #1, what's the best security practice here? Do I just throw the service principal password into key vault and reference it in the build script?

Maybe an intuitive way of asking: Is there any way to basically say "I am a pipeline, I live on Azure, let me use my own access for this query"?

score 3 · Answer 1 · answered Feb 11 '21 at 20:35

In order for your pipeline/tasks in your pipeline to access Azure resources, you will need a service principal of some type which has permissions to the Azure resources you wish to query.

In Azure DevOps, this is typically done by creating a Service Connection in the Project Settings. The Service Connection will be configured with an Azure AD service principal, and your pipeline will reference the Service Connection to access the service principal's credentials. The Service Connection secures your SP's credentials for you (uncheck Grant Access to All Pipelines to require your permission to use the Service Connection).

The Service Connection creation dialog in DevOps will give you to the option to create a new service principal when you select the Azure RM connection type--you can either do this, if you have permissions and are OK with an SP being created with the Contributor role at the scope you specify; alternatively (and better practice), create a new SP separate from Azure DevOps, assign it just the permissions you need, then manually enter the SP's details into the Service Connection creation dialog.

To create the service principal manually, a quick method is to use the Azure CLI and the command az ad sp create-for-rbac -n <yourSPName> --skip-assignment, then grant the necessary permissions to the SP using the Portal or CLI.

Thanks, looking into using a Service Connection now. – VSO Feb 11 '21 at 21:08 — VSO, Feb 11 '21 at 21:08

Azure Build Pipeline - How to Grant Access to Storage Accounts?

1 Answers1