Search code examples
azureazure-resource-managerazure-virtual-networkazure-deploymentazure-resource-group

Azure Devops Service Connection failing on vnet peering on remote network, permissions issue?

Running into an error with a deployment failing when pushing it out through an Azure Devops Release Pipeline creating a vnet peering.

I'm able to successfully push out the deployment as my own account (with permissions across both subscriptions) using New-AzResourceGroupDeployment and it deploys with no issues.

I'm guessing it's down to the account not having permissions in the remote vnet as it's tied to just the first subscription. Any one any ideas of a way around this one?

Here's the redacted error I get from the failed deployment:

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. 
Please see https://aka.ms/DeployOperations for usage details.",
"details":[{"code":"Forbidden","message":"{\r\n \"error\": {\r\n \"code\": \"LinkedAuthorizationFailed\",\r\n \"message\": \"The client 'myClientID' with object id 'myObjectID' has permission to perform action 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write' on scope '/subscriptions/mySubid/resourcegroups/mylocalResourceGroup/providers/Microsoft.Network/virtualNetworks/mylocalResourceGroup-vnet/virtualNetworkPeerings/mylocalResourceGroup-vnetTouks-myRemoteResourceGroup-vnet'; 
however, it does not have permission to perform action 'peer/action' on the linked scope(s) '/subscriptions/myRemoteSubId/resourceGroups/myremoteResourceGroup/providers/Microsoft.Network/virtualNetworks/myremoteResourceGroup-vnet' or the linked scope(s) are invalid.\"\r\n }\r\n}"}]}

Not too sure how I go about granting the service connection in my local user group permisions on the remote network?

Got this link to the permissions but not sure how to add them (network contributor) to the service connection https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#permissions

Solution

  • You can grant user access to Azure resources using RBAC. Access control (IAM) is the blade that you use to assign roles to grant access to Azure resources. If you're using an account that has permissions to both subscriptions, you can use the same account for all steps in VNet to VNet peering refer to these steps https://learn.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions#portal

    On the portal: enter image description here

    With Powershell: 

    # Assign UserB permissions to myVnetA.
New-AzRoleAssignment `
  -SignInName UserB@azure.com `
  -RoleDefinitionName "Network Contributor" `
  -Scope /subscriptions/<SubscriptionA-Id>/resourceGroups/myResourceGroupA/providers/Microsoft.Network/VirtualNetworks/myVnetA

    Furthermore, to add a user account to a different subscription in the different Azure AD tenant, you need to add the user as guest users in that tenant first. Then you can grant the user permission.