1

Having issues w/release pipeline (Azure CLI) that has me scratching my head...

Scenario:

  • Release pipeline / Azure DevOps / 1 task having a single inline AZ CLI script utilizing a service connection back to my Azure cloud instance.
  • Service connection is based on ARM, which when I click on it - it shows Owner/Contributor/Reader at Subscription level of the hierarchy.
  • Inline AZ CLI task is defined to deploy a container instance using the AZ CLI task - which runs fine from Portal.
  • AZ CLI task has checkbox marked (ON) for Access SP details in script - When the pipeline runs, it logs into the Azure cloud instance perfectly.
  • Inline script defined for AZ CLI task is all of two (2) lines:
az account
az container create --resource-group myRG --file myContainerInstance.yml

The YML file specifies the Azure Container Instance - which FYI is a Docker image, previously published TO AZ cloud Container Registry.

Problem: Azure DevOps CLI task issues following error:

ERROR: ValidationError: (AuthorizationFailed) The client '6blahbla-blah-bl2h-xyza-012345678901' with object id '6blahbla-blah-bl2h-xyza-012345678901' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/6bazzers-fuzz-bots-last-hurrahhurrah/myRG' or scope is invalid.

Remedies attempted:

  1. Modifying role-perms at the Subscription and Resource Group level.
    • Includes: Owner, Contributor, Reader
  2. Trying to refresh credentials - albeit Azure CLI seems to refresh automagically.
  3. Verified correlation between SP logged in (the '6blahbla...012345678901') by confirming it is my user from Azure Portal CLI:
az ad sp show --id 6blahbla-blah-bl2h-xyza-012345678901
gto406
  • 589
  • 3
  • 9
  • Which `task` are you using the release pipeline? also have you tried creating `Service Connection` for the same. please add the pipeline details to the question as well – Sibtain Mar 04 '23 at 19:31
  • Thanks @Sibtain - as updated inline (above) single task **AZ CLI task**. Now that I am focused on the azure service connection, I wonder if it needs owner/contrib or reader roles for resource group? – gto406 Mar 04 '23 at 20:25
  • I managed to resolve my problem! Major issue preventing me from getting the deploy/update, was three-fold: 1) I was referring to wrong resource-group from my Service Connection (SC). Creating new SC which referenced the correct resource-group cleared scope issue above. 2) Ensuring YAML artifact (`myContainerInstance.yml`) in place prior to running inline script was critical to release being successful. 3) Inline (bash) script utilized arguments & ` `System.DefaultWorkingDirectory` set to default to find correct file. Make sure agent has new version of `AZ CLI` installed. – gto406 Mar 06 '23 at 02:38

0 Answers0