Reputation: 3826
Azure DevOps, unable to create pipeline due to insufficient AD permission
I am trying to create a new pipeline in AzureDevOps. In the configure tab I choose Deploy to Azure Kubernetes Service and select the appropriate values such as Cluster name, namespace, and etc..
When I click next, azure Devops tries to validate and create the pipeline but then it displays the following error :
Failed to create an app in Azure Active Directory. Error: Insufficient privileges to complete the operation. Ensure that the user has permissions to create an Azure Active Directory Application.
The error is self-explanatory and It seems like it tries to create an AD App behind the scene but the user doesn't have permission to do so.
After doing some research I have been lead to belive there are two ways to allow my user to be able to create such pipeline: (but maybe I am wrong)
- In the
user settingstab of AD Directory, enable the flag that says: "Users can register applications". This option does not work for me, since it then enable everyone to be able to create apps, and that's not what I want.
- Allow my users to be able access Azure Active Directory. I believe if I be able to access The Azure Active Directory, I will be able to create App, however this option is also not possible due to the legal restriction for accessing Azure Active Directory.
Is there a way I can create pipeline in AzureDevOps without having to go through the two options I have described?
Upvotes: 4
Views: 6499
Answers (2)
Reputation: 30373
Above error occurs when the user doesnot have the sufficient privileges to create an application in Azure AD. See here.
If you donot want to change Users can register applications to Yes, which allows any user in the Azure AD tenant can register an app. You will need to ask your administrator to assign you a proper administrator role that can create and manage all aspects of app registrations.
For example Application Developer role. See available roles and role permissions.
Users in this role can create application registrations when the "Users can register applications" setting is set to No.
Another workaround is to Create the service principal with the user already having required permissions in Azure Active Directory. In this way, you will have to configure the pipeline manually without using the Deploy to Azure Kubernetes Service pipeline template.
1,First you will need to create below service connections:
Create Azure container Registry service connection using the service principal.
Create Kubernetes service connection.
2, When creating a new pipeline, you need to select Starter pipeline in Configure your pipepline page. And then add the docker and kubernete tasks in your yaml pipeline. See the example Build and push to Azure Container Registry, Deploy to Kubernetes.
You can refer to below pipeline example, and change the variables and settings accordingly.
trigger:
- master
resources:
- repo: self
variables:
dockerRegistryServiceConnection: 'ACRserviceConnectionName'
kubernetesServiceConnection: "kubernetesServiceConnectionName"
imageRepository: 'nigx'
containerRegistry: 'leviregistry.azurecr.io'
dockerfilePath: '**/Dockerfile'
tag: '$(Build.BuildId)'
imagePullSecret: 'leviregistry8720a6c7-auth'
# Agent VM image name
vmImageName: 'ubuntu-latest'
stages:
- stage: Build
displayName: Build stage
jobs:
- job: Build
displayName: Build
pool:
vmImage: $(vmImageName)
steps:
- task: Docker@2
displayName: Build and push an image to container registry
inputs:
command: buildAndPush
repository: $(imageRepository)
dockerfile: $(dockerfilePath)
containerRegistry: $(dockerRegistryServiceConnection)
tags: |
$(tag)
- upload: manifests
artifact: manifests
- stage: Deploy
displayName: Deploy stage
dependsOn: Build
jobs:
- deployment: Deploy
displayName: Deploy
pool:
vmImage: $(vmImageName)
strategy:
runOnce:
deploy:
steps:
- task: KubernetesManifest@0
displayName: Create imagePullSecret
inputs:
action: createSecret
secretName: $(imagePullSecret)
kubernetesServiceConnection: $(kubernetesServiceConnection)
dockerRegistryEndpoint: $(dockerRegistryServiceConnection)
- task: KubernetesManifest@0
displayName: Deploy to Kubernetes cluster
inputs:
action: deploy
kubernetesServiceConnection: $(kubernetesServiceConnection)
manifests: |
$(Pipeline.Workspace)/manifests/deployment.yml
$(Pipeline.Workspace)/manifests/service.yml
imagePullSecrets: |
$(imagePullSecret)
containers: |
$(containerRegistry)/$(imageRepository):$(tag)
Upvotes: 2
Reputation: 970
What about creating a Service Principal with an existing user who already has the required AAD permission. And then Team can continue using the Service Principal account for managing Azure Resources.
Also, I see the similar thread over here: Failed to create an app in Azure Active Directory. Error: Insufficient privileges to complete the operation
Upvotes: 0
Related Questions
- While executing Azure DevOps build pipeline - got the message: This pipeline needs permission to access resources before this continue
- Azure DevOps pipeline cannot copy to Azure storage
- Azure Build Pipeline - Permission Required
- Run Azure devops pipeline as a azure AD user user
- Error: "There was a resource authorization issue: The pipeline is not valid."
- failed to create an app in azure active directory - insufficient privileges
- Getting permissions error when trying to deploy to a azure resource in a pipeline in azure devops
- azure devops local agent pipeline permission denied
- Cannot create new agent pool, Access denied error
- Azure Devops - Pipeline does not have permissions to use the referenced service connection