Search code examples
azure-devopsazure-cli

Unable to create new azure service-endpoint of type AWS due to permission while part of Endpoint Creators

I have an org and a project in it for which I want to create a service connector of type AWS within the Azure DevOps pipeline itself.

What I was hoping it works ->

env:
  AZURE_DEVOPS_EXT_PAT: $(System.AccessToken)
script: |
  az devops configure -d organization=https://dev.azure.com/${AZ_DO_ORGANIZATION_NAME}/ project=${AZ_DO_PROJECT_NAME}
  az devops service-endpoint create --service-endpoint-configuration service-endpoint.json

and here is my "sample" service-endpoint.json file ->

{
  "administratorsGroup": null,
  "authorization": {
    "parameters": {
      "assumeRoleArn": "",
      "externalId": "",
      "roleSessionName": "",
      "sessionToken": null,
      "username": "SECRET_ACCESS_KEY",
      "password": "ACCESS_KEY_ID"
    },
    "scheme": "UsernamePassword"
  },
  "data": {},
  "description": "",
  "groupScopeId": null,
  "isOutdated": false,
  "isReady": true,
  "isShared": false,
  "name": "AZ_DO_SERVICE_ENDPOINT_NAME",
  "operationStatus": null,
  "owner": "Library",
  "readersGroup": null,
  "serviceEndpointProjectReferences": [
    {
      "description": "",
      "name": "AWS",
      "projectReference": {
        "id": "AZ_DO_PROJECT_ID",
        "name": "AZ_DO_PROJECT_NAME"
      }
    }
  ],
  "type": "AWS",
  "url": https://aws.amazon.com/
}

PS: The caps values contain actual valid values.

When I run it, it tells me this ->

ERROR: You do not have permission to create a service connection. You need to be a Creator for service connections in this project.

But guess what, if I go to "Project Settings" -> "Permissions" -> "Endpoint Creators" and try to add myself, it tells me that I am already part of this group.

Does anyone have any idea what the problem is ?

Thanks!

Solution

  • I can reproduce the same issue when using the same command as yours in Pipeline.

    enter image description here

    From your script sample, you are using the $(System.AccessToken) to authenticate the Azure DevOps CLI command.

    In this case, it will use the Build Service Account to run the Azure DevOps CLI command to create the service connection.

    To solve this issue, you need to grant the Creator Role to the Service Account: projectname Build Service(Organizationname) and Project Collection Build Service(Organizationname) in Project Settings -> Service Connections -> Security.

    enter image description here

    Then you can run the Pipeline again to check if it can work as expected.

    Result:

    enter image description here

    For more detailed info, you can refer to the docs: System.AccessToken and Job authorization scope