Reputation: 2109
How to create a service connection for Azure in Azure Devops (with pictures)
This "service connection" thing in Azure Devops is quite confusing. I want to create a service connection to be able to connect to Azure and do things like deploy to my App Service through a pipeline.
The problem is, my subscription isn't listed in the drop down menu, plus I get unhelpful errors like "Failed to obtain the Json Web Token(JWT)" or "Failed to query service connection API ... AuthorizationFailed". What are the steps I need to take in order to create a service connection?
Upvotes: 5
Views: 13109
Answers (1)
Reputation: 2109
Prerequisites
- An Azure subscription
- An app service or other resource to create the service connection for
Create App Registration and define roles
What you will need to do first is create app registration. An app registration is the role-based identity that your pipeline will use for deployment.
In Azure portal, go to Azure Active Directory | App registrations (in sidebar) | New registration.
Give a name for the app registration. Don't worry about the other settings; leave them default. Click Register. Pro-tip: Prefixing related resources and entities with your project name (like <project name>-appregistration) will help you quickly find them later.
We need to give your app registration permission to access and deploy to your App Service or whatever resource you wish to deploy to.
Go to the App Service page | Access control (IAM) | + Add | Add role assignment. Fill out the fields:
- Role: Contributor
- Assign access to: Azure AD user, group, or service principal
- Select: search for and select the app registration you just made
Click save. You should see the app registration get added as a Contributor.
We also need to give read permissions for your subscription. I have no idea why it requires read access to subscriptions, but the connection fails if you don't do this.
Similar to the last step, go to your subscription (the one you are using for your app service) | Access control (IAM) | + Add | Add role assignment.
- Role: Reader
- Assign access to: Azure AD user, group, or service principal
- Select: select the app registration, then save.
Create service connection
Go to your project in Azure DevOps, then Project settings in the sidebar | Service connections | New service connection. Connection type is Azure Resource Manager.
Here is where I got lost before, because this interface doesn't list my subscription. But if it works for you, it should automatically get the correct variables for you, I believe. If it doesn't work, keep reading.
Click "use the full version of the service connection dialog". Here is how to fill out this complicated form.
- Connection name: choose a name (I suggest
<project name>-serviceconnection) - Environment: AzureCloud
- Scope level: Subscription
- Subscription ID: Get this from your subscription resource (see screenshot)
- Subscription name: Get this from your subscription resource
- Service principal client ID: App registration's Application (client) ID
- Service principal key: In the app registration page, go to Certificates & Secrets.
- Create a secret and copy the secret value. Expiration date of Never is fine.
- Do not store this string; you can always create a new one.
- Tenant ID: App registration's Directory (tenant) ID
- Allow all pipelines to use this connection checkbox: Turn this on for testing; you can change it later.
Click "Verify connection". It should say "Verified" in green. If the connection failed and you are sure you followed all the steps, wait 10 minutes and try again. After it's verified, you can click OK.
To use the service connection, reference the connection name you gave it earlier, in the correct field of the pipeline task. When you first try to run the pipeline, the build screen might show a message saying the connection isn't authorized.
Click "Authorize resources". You can see authorized pipelines in the Security page of the service connection. Run the build manually via the Queue button.
Now you can use the service connection in your pipeline. Here is a tutorial on deploying Node.js projects.
For reference, this is the documentation on service connections.
Upvotes: 11
Related Questions
- Azure DevOps Service Connections not showing when setting up a new release pipeline
- Azure DevOps: Service connection is not being recognized
- Error creating service connection to azure resource manager : azure pipelines
- Docker Service connections in Azure DevOps Services
- How to use Docker Host Service Connection in Azure Pipelines
- Azure DevOps service accounts
- How to connect Azure DevOps Pipeline to new app service?
- How can we automate service connection creation process in azure devops
- Azure Devops - Pipeline does not have permissions to use the referenced service connection
- In Azure DevOps, how do I create an Azure Service connection at the organization level rather than the project?