azure-devopsazure-pipelinesazure-deployment

Unable to deploy to Azure Subscription without a valid service connection

I am trying to deploy my flask app and I am running into an error. The build works, but the deployment step fails.

I am getting an error: There was a resource authorization issue The pipeline is not valid. Job DeploymentJob Step input azureSubscription references service connection <service connection> which could not be found. The service connection does not exist, has been disabled or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz.

I tried to make a new service connection App Registration (recommended) and it pushes me to use managed identity and can't get any further. I am a student and my Azure Subscription is associated with my school's domain.

My pipeline looks like this:

- stage: Deploy
  displayName: 'Deploy Web App'
  dependsOn: Build
  condition: succeeded()
  jobs:
  - deployment: DeploymentJob
    pool:
      name: $(name)
    environment: $(environmentName)
    strategy:
      runOnce:
        deploy:
          steps:
          - task: UsePythonVersion@0
            inputs:
              versionSpec: '$(pythonVersion)'
              displayName: 'Use Python version'
 
          - task: AzureWebApp@1
            displayName: 'Deploy Azure Web App : $(webAppName)'
            inputs:
              azureSubscription: $(azureServiceConnectionId)
              appName: $(webAppName)
              package: $(Pipeline.Workspace)/drop/$(Build.BuildId).zip

How can I create a valid service connection?

Solution

  • When you activate an Azure offer such as the Azure Benefit for a Visual Studio License or Azure for Students, the Subscription is automatically associated with the Entra ID tenant of the user activating the benefit.

    As you are a student, you are not granted the Global Administrator role for your school's tenant (<school-name>.onmicrosoft.com). Obviously, this is the right thing to do, but without adequate permissions you won't be able to create app registrations, managed identities, etc. in that tenant. No doubt, your school's IT department will not want to create these things for their students, so you'll find yourself in your current predicament.

    An organization can have many Subscriptions and they are typically organized with Management Groups. This grouping construct allows IT Administrators to automatically add new Subscriptions to a specific management group which they can then apply policies concerning their usage.

    If your school hasn't applied a policy that prevents you from creating new Entra ID resource in your subscription, the ideal workaround is to create your own Entra ID tenant and associate it as the default tenant for your Azure Subscription. When you login, you will continue to use your school's Entra username and password, but you will be the Global Administrator for the new tenant (<your-tenant-name>.onmicrosoft.com).

    Steps to do this:

    1. Create a new Entra Tenant. The standard Entra tenant is free.
    2. Transfer your Azure Subscription to the new Tenant

    After moving your subscription to the tenant, you'll notice that your school's entra ID account is the only user account in that tenant. If you're collaborating with other students, you can invite them as guest members. If you have existing Azure Resources in this subscription (I'm assuming you don't) but permissions on some resources may break if they are referring to user accounts or groups that aren't part of your tenant.

    You'll also notice that in the top-right corner of the azure portal, you'll have the option to switch directory and toggle between the various tenants (and thus subscriptions) associated with your account.

    Switch Directory

    Next, in Azure DevOps, assuming you are logging in using the same Entra account:

    1. Navigate to your Project Settings > Pipelines > Service Connections
    2. Create a new Service Connection of type "Azure Resource Manager"
    3. Use the "App Registration (automatic)" with a credential of "Workload identity federation"

    Azure DevOps should detect the subscriptions available to your account and will do the heavy lifting of creating the App Registration in your new tenant. It will also grant the necessary permissions in the Subscription so that you'll be able to use the service connection to securely deploy from Azure DevOps to your Azure Subscription.

    Once you've authorized your pipeline, please see my other answer. The pool, environment and azureSubscription parameters must be known at compile-time. If you're using the stage outlined above in a template or if the variables aren't defined at the top of the pipeline, you'll likely experience further complications if you use variables for these values.