Reputation: 79
Failed to fetch the list of virtual machines from resource group
In my Azure DevOps release pipeline, I would like to start a VM. So I have an "Azure resource group deployment" task with the action "Start virtual machines". However, when I run this task, I get the error:
"Failed to fetch the list of virtual machines from resource group: ... Error: "Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request"
In my VM I already enabled system-assigned managed identity, so I don't know why this error is appearing. Any thoughts?
Upvotes: 0
Views: 608
Answers (1)
Reputation: 3814
You will also need a service connection in Azure DevOps to connect to your Azure subscription using the MSI.
You can configure Azure Virtual Machines (VM)-based agents with an Azure Managed Service Identity in Azure Active Directory (Azure AD). This lets you use the system assigned identity (Service Principal) to grant the Azure VM-based agents access to any Azure resource that supports Azure AD, such as Key Vault, instead of persisting credentials in Azure DevOps for the connection.
In Azure DevOps, open the Service connections page from the project settings page. In TFS, open the Services page from the "settings" icon in the top menu bar.
Choose + New service connection and select Azure Resource Manager.
Choosing a service connection type
Select the Managed Identity Authentication option.
Opening the managed service identity settings
Enter a user-friendly Connection name to use when referring to this service connection.
Select the Environment name (such as Azure Cloud, Azure Stack, or an Azure Government Cloud).
Enter the values for your subscription into these fields of the connection dialog:
- Subscription ID
- Subscription name
- Tenant ID
After the new service connection is created:
- If you are using it in the UI, select the connection name you assigned in the Azure subscription setting of your pipeline.
- If you are using it in YAML, copy the connection name into your code as the azureSubscription value.
- Ensure that the VM (agent) has the appropriate permissions. For example, if your code needs to call Azure Resource Manager, assign the VM the appropriate role using Role-Based Access Control (RBAC) in Azure AD. For more details, see How can I use managed identities for Azure resources? and Use Role-Based Access Control to manage access to your Azure subscription resources.
Upvotes: 0
Related Questions
- Azure DevOps Pipeline error when running docker-compose up
- Azure resources pipeline and repositories hit error
- Pipeline creation with Azure DevOps REST API fails with error "No pool was specified"
- API version 2022-03-01 does not have operation group 'virtual_machine_images'
- Error: "There was a resource authorization issue: The pipeline is not valid."
- Azure devops pipeline failed
- Azure DevOps Pipeline Fail: Sequence was not expected
- Error creating service connection to azure resource manager : azure pipelines
- Is there possibility to get all virtual machines available in Azure DevOps environment?
- Still cannot choose "Virtual Machines" as a resource when adding an environment, while it should be available according to sprint 162 release notes