Skip to content

Instantly share code, notes, and snippets.

@bryanknox

bryanknox/Resource_Authorization_Issue_in_Azure_YAML_Pipeline.md

Last active April 30, 2024 13:03
Show Gist options
  • Save bryanknox/1a66ef9ed6316e4bbb1902f443645e68 to your computer and use it in GitHub Desktop.
Save bryanknox/1a66ef9ed6316e4bbb1902f443645e68 to your computer and use it in GitHub Desktop.
Download ZIP
Use ConnectedServiceNameARM instead of azureSubscription for the input argument name in AzurePowerShell tasks in Azure DevOps YAML pipelines
Raw
Resource_Authorization_Issue_in_Azure_YAML_Pipeline.md

Use ConnectedServiceNameARM instead of azureSubscription in AzurePowerShell tasks in Azure DevOps YAML pipelines

tl;dr

Don't get fooled into providing an Azure Subscription name to a AzurePowerShell task in an Azure DevOps YAML pipeline, just because the input argument is named azureSubscription. It really needs the name of an Azure DevOps Service Connection!

For AzurePowerShell tasks use the ConnectedServiceNameARM input name instead of the misleading azureSubscription alias.

The Context of the Error

I made a copy of an Azure YAML pipeline I found on the internet as a baseline for what I needed.

In my Azure YAML pipeline I had an AzurePowerShell task like the following:

- task: AzurePowerShell@4
  displayName: Do important stuff
  inputs:
    azureSubscription: '$(AzureSubscriptionName)'
    scriptType: 'FilePath'
    scriptPath: './DoImportantStuff.ps1'
    scriptArguments: '-ImportantDirectory "$(ImportantDirectory)"'
    errorActionPreference: 'stop'
    failOnStandardError: true
    azurePowerShellVersion: 'LatestVersion'

And the pipeline's azureSubscription variable is set to "My Subscription".

In the Azure DevOps project settings, I've setup a Service Connection named "My Service Connection" linked to a service principal that has the permissions need to do the important stuff.

The Error

When I ran the pipelin I got an error like the following:

There was a resource authorization issue: The pipeline is not valid. Job Job: Step AzurePowerShell1 input ConnectedServiceNameARM references service connection My Subscription which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz.

The Problem

The key part of the error message is:

Step AzurePowerShell1 input ConnectedServiceNameARM references service connection {service connection name} which could not be found.

The problem is that the AzurePowerShell task needs the name of the Azure DevOps Service Connection, not the name of the Azure Subscription.

The docs for the AzurePowerShell task arguments hint at the solution where the description for ConnectedServiceNameARM argument says:

(Required) name of an Azure Resource Manager service connection for authentication.

Argument alias: azureSubscription

The Fix

The fix is to provide the Name of the Service Connection in Azure Dev Ops, not the name of the Azure Subscription.

But, we should go a step further and avoid confusion later on by using the ConnectedServiceNameARM input name instead of azureSubscription.

Here's the update task in the pipeline YAML, and I updated the variable name too:

- task: AzurePowerShell@4
  displayName: Do important stuff
  inputs:
    connectedServiceNameARM: '$(AzDoServiceConnectionName)'
    scriptType: 'FilePath'
    scriptPath: './DoImportantStuff.ps1'
    scriptArguments: '-ImportantDirectory "$(ImportantDirectory)"'
    errorActionPreference: 'stop'
    failOnStandardError: true
    azurePowerShellVersion: 'LatestVersion'

And the pipeline's AzDoServiceConnectionName variable is set to "My Service Connection".

@JesSchattschneider
Copy link

Oh, thanks so much for this, it saved my day!

@swapnilcjadhav
Copy link

@bryanknox
is there any option to autorize the subscription account without creating Service Connection?
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment