The service connection does not exist or has not been authorized for use

Question

I'm trying to create my first release pipeline, however I keep getting this error:

Exception Message: The pipeline is not valid. Job Phase_1: Step AzureResourceGroupDeployment input ConnectedServiceName references service connection which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz. (type PipelineValidationException)

I've tried to follow the instructions in the link, however the "Authorize Resources" button does not exist.

"Allow all pipelines to use this service connection" is already enabled and I have recreated the deployment task after enabling this.

How do I authorise the resource?

Answer 1

I had the same issue, and I initally missed the fact that you need to click the 'Authorize resources' button that appears, as shown below

Also in my case, my pipeline was missing variables that included the correct service connection name. These were set up in a variable group that was already being used by another pipeline. I needed to link them in my new pipeline:

Edit pipeline > select elipsis at top right > triggers > Variables > Variable groups > Link variable group

Answer 2

Microsoft should've changed the naming scheme for task.inputs.azureSubscription.

Example:

steps:
- task: AzureCLI@2
  inputs:
    azureSubscription: <SERVICE_CONNECTION_NAME> # Note: azureSubscription != subscriptionName or subscriptionId
    scriptType: bash
    scriptLocation: inlineScript
    workingDirectory: src
    inlineScript: |
      set -ex
      echo "Listing resource groups..."
      az group list
  displayName: 'List resource groups'

Azure docs highlights the following: azureSubscription: # string. Alias: connectedServiceNameARM. Required. Azure Resource Manager connection.

They connectedServiceNameARM alias can be used instead of azureSubscription. Not sure why they just didn't name it serviceConnectionName. Either way, to solve this The service connection does not exist or has not been authorized for use ensure you use the service connection name instead of your subscriptionName or subscriptionID.

Personally, to make things clearer, I'd go with connectedServiceName rather than azureSubscription:

steps:
- task: AzureCLI@2
  inputs:
    connectedServiceNameARM: <SERVICE_CONNECTION_NAME> # Note: azureSubscription != subscriptionName or subscriptionId
    scriptType: bash
    scriptLocation: inlineScript
    workingDirectory: src
    inlineScript: |
      set -ex
      echo "Listing resource groups..."
      az group list
  displayName: 'List resource groups'

Answer 3

A solution suggested on https://techcommunity.microsoft.com/t5/azure-devops/azure-devops-error-some-recent-issues-detected-related-to/m-p/3050626/highlight/true#M270 worked for me.

Edit -> Settings: Point the pipeline file to a different yaml, save, then point back to the correct yaml file

Answer 4

kubernetesServiceConnection-Code-Snapshot. I faced the same issue when tried to pass the service connection value from variable/parameter/library group. If I pass directly then I am not facing this issue.

Solution: When we want to pass the service connection from variable/parameter/library group then make sure the variable key name is the same as required in the task.

For example, I am passing service connection name of a k8s clustr. In the task the key is kubernetesServiceConnection .

Refer to HelmDeploy@0 documentation.

so my variable/parameter name will also be same. For example,

parameters:
   environment: 'inception          
   kubernetesServiceEndpoint: 'abc'

Final Code Snapshot

I hope this helps.

Answer 5

I had a similar problem and noticed that adding a task to run an Azure PowerShell script was also getting a similar error. Turned out that the problem was solved when I verified the service connection twice within the project that was having the problem:

Answer 6

In my case, I was trying to use [AzureAppServiceSettings][1] task, and was using azureSubscription with subscription id in the YAML file.

The YAML file

  - task: AzureAppServiceSettings@1
    displayName: Update App Settings of the Logic App
    inputs:
      azureSubscription: '$(azureSubscriptionId)'
      resourceGroupName: ...
      appName: ...
      appSettings: ...

I got the same error and after clicking Authorise resources, I got error of no plan found for identifier xxxx.

Needed to change my YAML file to use connection name in Azure DevOps.

  - task: AzureAppServiceSettings@1
    displayName: Update App Settings of the Logic App
    inputs:
      azureSubscription: 'Nonprod Connection'
      resourceGroupName: ...
      appName: ...
      appSettings: ...

So Nonprod Connection is one of my service connections in Azure Devops.

After fixing the value of azureSubscription, the pipeline doesn't show up the error anymore.

Answer 7

I was having this error because I was declaring the variable group containing the service connection name at stage level.

The error was fixed once I declared the variable group at pipeline level.

Answer 8

The admittely silly solution for me was to avoid declaring and using the Service Connection as a variable, i.e. in the case of connecting to an Azure Container Registry:

Failed

pool:
  vmImage: 'ubuntu-20.04'

variables:
  dockerRegistryServiceConnection: 'my-service-connection'
  baseContainerUrl: 'myregistry.azurecr.io/my_image:latest'

container:
  image: $(baseContainerUrl)
  endpoint: $(dockerRegistryServiceConnection)

Worked

pool:
  vmImage: 'ubuntu-20.04'

variables:
  baseContainerUrl: 'myregistry.azurecr.io/my_image:latest'

container:
  image: $(baseContainerUrl)
  endpoint: my-service-connection

Answer 9

In "classic release pipelines", a release is a snapshot of a release pipeline, with all the settings of the pipeline materialized, and a deployment is the execution of a pipeline stage in the release.

In our case, a release generating this error during deployment predated a service principal renewal. We could edit the release to use the new service principal and successfully deploy the modified release. The release pipeline did not need modifications.

1. Navigate to the release overview of the relevant release.
   • https://dev.azure.com/<user>/<project>/_releaseProgress?...
2. Select Edit > Edit release.
3. Click Edit tasks for the relevant stage.
4. Select the Azure App Service Deploy step.
5. Choose the correct Azure subscription and App Service name values.
   • These values will likely be the same as in the release pipeline
   • In our case these fields were empty and "needed attention".
6. Click Save.
7. Click Deploy.

The changes persist, so the corrected release can be deployed a second time without incident.

It is unclear whether this applies to YAML pipelines but I would guess no.

Answer 10

You can either use existing Service principal or create a new one. All you need is in documentation already. Create an Azure Resource Manager service connection using automated security

From Azure DevOps -> Project setting -> Service connection: Then click on "New Service Connection".Choose "Azure resource Manager" as type of service connection. Select Service Principal (Automatic). Run your pipeline

Answer 11

My "Service connection" which defined the service principal connection had been created separately to the task in my release pipeline.

In order for "Authorize Resources" to occur, you must create a new connection from the task itself (you may need to use the advanced options to add an existing service principal).

1. under "Azure subscription" click the name of the subscription you wish to use
2. Click the drop down next to "Authorize" and open advanced options
3. Click " use the full version of the service connection dialog."
4. Enter all your credentials and hit save