0

I have a pipeline stage that is using a template as follows:

# Deploy to AKS
- stage: DeployTEST
  displayName: Test env for my-app
  condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/master'))
  variables:
  - group: 'my-app-var-group-test'
  - group: 'package-variables'
  - template: templates/shared-template-vars.yml@templates
  jobs:
  - deployment: TestDeployment
    displayName: Deploy to AKS - Test
    pool:
      vmImage: $(vmImageName)
    environment: env-test
    strategy:
      runOnce:
        deploy:
          steps:
          - template: ./aks/deployment-steps.yml

...and the content of the template deployment-steps.yml is:

steps:
- script: |
    echo AzureSubscription: '$(azureSubscription)'
    echo KubernetesServiceConnection: '$(kubernetesServiceConnection)' # this is working

- task: KubernetesManifest@0
  displayName: Create imagePullSecret
  inputs:
    action: createSecret
    secretName: $(imagePullSecret)
    dockerRegistryEndpoint: $(dockerRegistryServiceConnection)
    kubernetesServiceConnection: $(kubernetesServiceConnection) # this is causing an error

I get an error like this:

There was a resource authorization issue: "The pipeline is not valid. Job TestDeployment: Step input kubernetesServiceConnection references service connection $(kubernetesServiceConnection) which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz."

and like this when I try to select individual stages prior manual pipeline run:

Encountered error(s) while parsing pipeline YAML: Job TestDeployment: Step input kubernetesServiceConnection references service connection $(kubernetesServiceConnection) which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz.

The errors above are misleading, because it is not an authorization issue:

  • the referenced K8s service connection is authorized
  • when I hardcode the value of the $(kubernetesServiceConnection) variable the pipeline runs just fine - no errors
  • variable group my-app-var-group-test is authorized - IMPORTANT: this is where the $(kubernetesServiceConnection) variable is defined

NOTE: The variable kubernetesServiceConnection is defined in the my-app-var-group-test variable group & when I comment out the KubernetesManifest task, the value of the $(kubernetesServiceConnection) variable is properly printed to the pipeline console output without any issues and the pipeline runs successfully!?

I know I could use parameters to pass values into the template, but this setup is already used by all other pipelines (variable group vars are used/references in templates) and this issue appeared on a newly created pipeline. I have used file comparison to compare the yaml of a working pipeline and this one and failed to spot anything...

I might be missing something obvious, but I spent hours on this failing to resolve the error...

Emil
  • 2,196
  • 2
  • 25
  • 24
  • 1
    Does this answer your question? [Issues while passing variable groups parameter to template from azure pipeline.yml](https://stackoverflow.com/questions/72557416/issues-while-passing-variable-groups-parameter-to-template-from-azure-pipeline-y) – Vince Bowdren Jun 16 '22 at 16:04
  • @VinceBowdren - Thank you for the link to this other issue. It does add some value but my case is different - I am not using parameters to pas the value from the variable group; also as I said in the question I already have existing pipeline that use the exact setup, but this error came up on a newly created pipeline and I am struggling to find the root cause. – Emil Jun 16 '22 at 16:13
  • the crucial point is that you are declaring the kubernetesServiceConnection variable at a lower level (in your case stage level); but _in order to be used to define a task's service connection_ the variable must be declared at the top level i.e. in the pipeline. It's a known restriction. – Vince Bowdren Jun 16 '22 at 16:16
  • @VinceBowdren - I can declare empty variable at root level, but will the variable from the var group value take precedence? – Emil Jun 17 '22 at 15:13
  • No, the service account variable you use (and its value) has to be declared at root level. – Vince Bowdren Jun 17 '22 at 15:16
  • @VinceBowdren - thanks for your help I will get to the bottom of it; The issue I have is that different stages are using different values of the `kubernetesServiceConnection` as well as `azureSubscription` for example; this has worked so far on existing pipelines... I am aware of the compile vs runtime issues with stages and var groups, but I have existing pipelines using the same pattern; If I have to design the pipeline my self I would use [runtime parameters](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/runtime-parameters?view=azure-devops&tabs=script) – Emil Jun 17 '22 at 15:20

0 Answers0