The Service connection does not exist, has been disabled or has not been authorized for use
I have a pipeline which executes a kv_check.yaml script saved in another Project. The kv_check.yaml script has an AzureCLI@2 Task which already has Service Connection as Input. When I run the kv_check.yaml directly from its project, everything is working fine, However when I can call kv_check.yaml as a template from a pipeline in different project, I am getting the following error:
There was a resource authorization issue: "The pipeline is not valid. Job KeyVaultCheck: Step AzureCLI input connectedServiceNameARM references service connection SC1234 which could not be found. The service connection does not exist, has been disabled or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz."
this is my kv_check.yaml script:
- name: WebhookURL
type: string
- name: KeyVaultsToCheck
type: string
jobs:
- job: KeyVaultCheck
displayName: 'KeyVault Check'
steps:
- checkout: self
- task: AzureCLI@2
displayName: 'Scanning KeyVaults'
inputs:
azureSubscription: '$(GLOBAL_SERVICE_CONNECTION)'
scriptType: 'pscore'
scriptLocation: 'scriptPath'
scriptPath: 'helper_scripts/check_kv.ps1'
arguments: '-WebhookURL "${{ parameters.WebhookURL }}" -KeyVaultsToCheck "${{ parameters.KeyVaultsToCheck }}"'
env:
GLOBAL_SUBSCRIPTION: $(GLOBAL_SUBSCRIPTION)
and this is the pipeline where I am calling kv_check.yaml as a template
branches:
include:
- develop
- qa
- production
paths:
exclude:
- build_template/
- ./*.md
- tests/
pool:
vmImage: 'ubuntu-20.04'
resources:
repositories:
- repository: templates
type: git
name: PLATFORM/pipeline-templates
ref: develop
variables:
- template: /variables/vars-global.yaml@templates
- ${{ if eq(variables['build.SourceBranchName'], 'develop') }}:
- template: /build_template/vars-dev.yaml
- ${{ if eq(variables['build.SourceBranchName'], 'qa') }}:
- template: /build_template/vars-qas.yaml
- ${{ if eq(variables['build.SourceBranchName'], 'production') }}:
- template: /build_template/vars-run.yaml
- name: VAR_KEYVAULT # optional: add keyvaults here to be scanned (z.B. "kv1,kv2,kv3")
value: "kv1,kv2"
- name: VAR_WEBHOOK_URL
value: "https://logic.azure.com/xxxxxxxxxxx"
schedules:
- cron: "0 0 15 * *"
displayName: Monthly build
branches:
include:
- develop
stages:
- stage: CheckKeyVault
jobs:
- template: templates/Apps/kv_check.yaml@templates
parameters:
WebhookURL: $(VAR_WEBHOOK_URL)
KeyVaultsToCheck: $(VAR_KEYVAULT)
The Service Connection value is stored in GLOBAL_SERVICE_CONNECTION variable in vars-global.yaml file which I have already called in the above pipeline under Variables.
I did try clicking on 'Authorize Resource' button on Pipeline page but that didnt work and under Project Settings on Service Connections, there is also nothing to Authorize.
Is there is a behaviour of Service Connection which I am missing or I am doing something wrong?
as a template from a pipeline in different project
Since you are running your pipeline from a new project entirely different from the original project where the existing service connection was created, it will not be listed as an service connection in the project.
You can either recreate it as a new service connection or share the existing one with the new project if both are in the same Azure DevOps organization.
I would strongly advise you share service connection rather than create a new one for centralize management.
Here are the steps you may use to do this.
- From the original project, select the existing service connection, from the screenshot my project is (Infrastructure As A Code)
- Select the 3 dots
...in the upper right corner on the service connection, next to theEditbutton and Select security.
Find the Project Permission and hit the plus button
Select the project where you want to share the service connection to and okay the information popped up, from the screenshot my project is (Pretty Service)
- Confirm it worked just fine, When you go to the other project you can now see the shared service connection.
Let me know if you have more questions or concerns.
- Get All Pipeline Parameters Through Azure DevOps REST API
- Create a counter variable in Azure Devops for every pipeline successful run
- Use script file in Azure Devops yaml deployment pipeline
- How to properly use Azure Function Build and Deploy in Azure DevOps with multiple projects
- Azure devops - build number vs build id
- Run script on Azure VM Scale Set when deprovisioning
- Azure Pipeline to trigger Pipeline using YAML
- Make Azure Keyvault secrets available in entire pipeline
- Cannot authorize variable group in Azure Pipelines
- How to set up a simple Next.js web app with CI/CD on Azure?
- How to override the object and array parameters in the Arm template?
- Azure DevOps Oryx build of my ReactJS app fails with 'unable to resolve' error
- Secret Pipeline Parameter in Azure Devops
- Build validation on Azure DevOps branch: YAML in different repository?
- Azure Devops yml pipeline if else condition with variables
- How to Generate .AAB file and Sign Android app Bundle using azure pipeline
- Azure DevOps Yaml pipeline - GitVersionfor additional repository
- Azure Web App Cannot Access Azure Container Registry Using Managed Identity
- Azure pipeline - run shell script on the remote server
- How to Enable Docker layer caching in Azure DevOps
- Notification send when second pipeline run completes
- Variable evaluates fine for displayName but not for condition, why is that?
- Not possible to use containers in Azure Pipelines self-hosted agents deployed as Azure K8s pods
- Triggering 2nd Azure Pipeline After Successful Run on 1st pipeline
- Unexpected value 'condition'
- mvn release + azure pipeline - deploy
- Azure DevOps Pipeline trying to access Git: you do not have permissions error
- Azure DevOps - More Than One Build Agent?
- How to deploy .NET Core 3.1 project to webjob?
- How to securely login in Az CLI from a DevOps Pipeline