We have several Yaml pipelines using the same deployment environment. A new pipeline has just been created using Yaml that specifies the resource name (as well as the environment), as we want to deploy to one VM only within that environment. This is the first pipeline we have created that specifies the resource name explicitly. All previous ones deploy to the whole environment.
displayName: Deploy
environment:
name: 'NonProd'
resourceName: 'Kermit'
resourceType: VirtualMachine
Since creating this pipeline, when running any of the other pipelines in the same environment, we are now asked to permit access to a resource before the deploy step can start. All other pipelines have been previously given permission to run in the NonProd environment.
I am struggling to understand what has changed to cause this to happen.
I am unable to find the resource that this message refers to. Therefore, I am unable to grant all current pipelines access, without running them individually. The message states Agent pool, but we have no agent pool with that name. I do know that environment 14 is the NonProd environment - but there is no resource with that name inside the environment either.
I can only assume that something has fundamentally changed in the NonProd environment, by running a pipeline that deploys only to one VM; and that the resource it is looking for is linked to that environment.
I would have hoped to have at least found the resource that the pipelines are now requiring access to.
I have tried looking for the resource in question both in the Environment and the Agent Pool. I have also tried using the graph API to locate the resource - to no avail.
Does anyone know what resource it is that the pipelines require access to - and if there a way to globally grant all pipelines access to this resource?
To globally grant all pipelines access to this deployment pool resource,
I had a test with this API and managed to grant permissions for all pipelines to use the deployment pool with the sample PowerShell script below.
$organization = "YourADOOrgName"
$project = "TheProjectName"
$MyPat = 'xxxPersonalxxxAccessxxxTokenxxx'
$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$MyPat"))
$headers = @{
'Authorization' = 'Basic ' + "$B64Pat"
'Content-Type' = 'application/json'
}
$URL = "https://dev.azure.com/$organization/$project/_apis/pipelines/pipelinePermissions/agentpool/<deploymentPoolId>?api-version=7.1-preview.1"
$body = @"
{
"allPipelines": {
"authorized": true
}
}
"@
Invoke-RestMethod -Method PATCH -Uri $URL -Headers $headers -Body $Body
Please replace the deployment pool id in the placeholder with its actual value. We can find the deployment pool Id from the URL of the deployment pool corresponding to the NonProd environment in the Organization Settings.
I could reproduce the issue that once a YAML pipeline had explicitly configured the deployment job to run on a VM resource from an environment, all the old or new pipelines with deployment jobs referencing against this environment would ask for permission to use the environment corresponding deployment pool, even if the deployment jobs were NOT selecting Virtual machine resources to consume that pool.
For this, you may report the issue with reproducing steps in Developer Community - Azure DevOps, where the support team can engage the engineering group for further assistance and insights.
As a workaround at the moment to grant permissions for pipeline(s) to use that deployment pool without having to running them, you may use the request in the script below. Here is the sample PowerShell script for your reference (replace the placeholders of <deploymentPoolId>
and <pipelineDefinitionIdOne>
with the respective values from the URLs of your deployment pool and pipeline(s).
$organization = "YourADOOrgName"
$project = "TheProjectName"
$MyPat = 'xxxPersonalxxxAccessxxxTokenxxx'
$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$MyPat"))
$headers = @{
'Authorization' = 'Basic ' + "$B64Pat"
'Content-Type' = 'application/json'
}
$URL = "https://dev.azure.com/$organization/$project/_apis/pipelines/pipelinePermissions/agentpool/<deploymentPoolId>?api-version=7.1-preview.1"
$body =@"
{
"pipelines":[
{
"id": <pipelineDefinitionIdOne>,
"authorized":true
},
{
"id":<pipelineDefinitionIdTwo>,
"authorized":true
}
]
}
"@
Invoke-RestMethod -Method PATCH -Uri $URL -Headers $headers -Body $Body