Parameterize azureSubscription from variable group in yaml pipeline

Question

I'm using Yaml for Azure devops pipeline. I am using a hierarchical style for that.

I'm having one top level yaml: feature.yaml which has following structure:

trigger:
...
pool:
  vmImage: ...
  
variables:
  group: ...

stages:
  - template: deploy.yaml
    parameters:
      subName: $(subscription) #This should be taken from Variable group

I have deploy.yaml as:

stages:
    - stage: deploy
      jobs:
        - job: deploy
          steps:
          - task: AzureKeyVault@1
            inputs:
              azureSubscription: $(paramaters.subName) #This should be resolved from parameter passed form feature.yaml
              KeyVaultName: ...
              SecretsFilter: '*'
              RunAsPreJob: true

However, whenever I run this from Azure DevOps, I'm getting this error:

There was a resource authorization issue: "The pipeline is not valid. Job deploy: Step AzureKeyVault input ConnectedServiceName references service connection $(paramaters.subName) which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz."

It seems pipeline is not able to resolve value of azureSubscription name from variable group.

Any suggestions?

Answer 1

I discovered that when the YAML is initially parsed it expects the variable group to be in scope. I needed to move my variable group to the top of the YAML file and then it found the azure subscription variable. Not what I was expecting.

Answer 2

We had a similar issue to this and it was because we missed off the - in the yaml under variables:

variables:
  group: ...

To:

variables:
  - group: ...

This fixed the issue for us.

Answer 3

for those who are looking for resolution,

Here's what you'll need to do: In the Top-level feature.yaml, Add the desired variable group name and pass in the parameter from the template which has the azure subscription name:

variables:
  - group: xxx

  - template: deploy.yaml
    parameters:
      subName: $(_subscriptionName)

And utilize that parameter in template deploy.yaml:

- task: AzureKeyVault@1
  inputs:
     azureSubscription: ${{ parameters.subName}}
     keyVaultName: xxx
     secretsFilter: '*'

Its a known issue currently that we can not use variable from variable group directly to azureSubscription input of AzureKeyVault task as per this thread.

Thi work around should work fine!

Answer 4

I think you have to define the parameters in the deploy.yaml!

https://learn.microsoft.com/en-us/azure/devops/pipelines/yaml-schema?view=azure-devops&tabs=example%2Cparameter-schema