[SOLVED] Multi-stage YAML Pipeline: Requires approval for service connection not used in stage

Multi-stage YAML Pipeline: Requires approval for service connection not used in stage

I have configured approvals on service connections. Documentation states:

A stage can consist of many jobs, and each job can consume several resources. Before the execution of a stage can begin, all checks on all the resources used in that stage must be satisfied. Azure Pipelines pauses the execution of a pipeline prior to each stage, and waits for all pending checks to be completed.

I have two pipelines, sharing a template for the first stage.

Pipeline 1:

parameters:
  - name: environmentName
    type: string
    default: 'bla'
    values:
      - 'bla'
      - 'blubb'

variables:
  - name: [...]
    value: [...]

trigger:
  - none

pool:
  name: [...]

name: [...]

stages:
  - stage: build
    jobs:
      - template: build-stage.yml

Pipeline 2:

parameters:
  - name: environmentName
    type: string
    default: 'bla'
    values:
      - 'bla'
      - 'blubb'

variables:
  - name: [...]
    value: [...]
  - group: ${{ parameters.environmentName }}KeyVault

trigger:
  - none

pool:
  name: [...]

name: [...]

stages:
  - stage: build
    jobs:
      - template: build-stage.yml

  - stage: deploy
    dependsOn: build
    jobs:
      - template: deploy-stage.yml

build-stage.yml does not use any service connections, deploy-stage.yml' uses a service connection that requires an approval.

When running Pipeline 1, no approval is required. When running Pipeline 2, two approval are required - one for the build stage and one for the deploy stage.

Any ideas why Pipeline 2 requires two approvals?

Thanks to Kevin's question, I realized that during the job preparation (therefore also visible in the logs), the service connection is used to retrieve the variables of the variable group.

Moving the variable group to the deployment stage leads to only one approval- (see also this question)

Edit 1: additional information on pipelines

Edit 2: solution

Solution

Any ideas why Pipeline 2 requires two approvals?

The details you provided about the pipeline are vague, but I can assume that there are multiple resources used by the pipeline that require approval - not only the service connection you mentioned, but eventually other resources such as environments, other service connections, agent pools, variable groups, etc.

All these details are mentioned in the documentation link you provided.