Azure DevOps Pipeline Unable to work with ARM template deployment yaml template for Azure Data Factory Build Pipeline

Question

I am attempting to execute an Pipeline which uses the ARM template deployment to execute pipelines to Azure

The yaml script is as follows:

- task: AzureResourceManagerTemplateDeployment@3
  inputs:
    deploymentScope: 'Resource Group'
    azureResourceManagerConnection: 'NewAzureConnection'
    subscriptionId: 'xxxxxx-xxxx-xxx-xxxxxxxx03'
    action: 'Create Or Update Resource Group'
    resourceGroupName: '$(ResourceGroupUAT)'
    location: '$(Location)'
    templateLocation: 'Linked artifact'
    csmFile: '$(System.DefaultWorkingDirectory)/adf-xxxxabric-dev/ARMTemplateForFactory.json'
    csmParametersFile: '$(System.DefaultWorkingDirectory)/adf-xxxxxx-dev/ARMTemplateParametersForFactory.json'
    overrideParameters: '-factoryName $(DataFactoryUAT)'
    deploymentMode: 'Incremental'

The full script is as follows:

# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml

trigger:
- adf_publish

pool:
  vmImage: ubuntu-latest
steps:
- script: |
    tree $(System.DefaultWorkingDirectory)
  displayName: Show file structure of System.DefaultWorkingDirectory during a build


- task: AzurePowerShell@5
  inputs:
    azureSubscription: 'NewAzureConnection'
    ScriptType: 'FilePath'
    ScriptPath: '$(System.DefaultWorkingDirectory)/adf-xxxxx-xxxxx-dev/PrePostDeploymentScript.ps1'
    ScriptArguments: '-armTemplate "$(System.DefaultWorkingDirectory)/adf-xxxx-xxxx-dev/ARMTemplateForFactory.json" -ResourceGroupName $(ResourceGroupUAT) -DataFactoryName $(DataFactoryUAT) -predeployment $true -deleteDeployment $false'
    azurePowerShellVersion: 'LatestVersion'

    - task: AzureResourceManagerTemplateDeployment@3
      inputs:
        deploymentScope: 'Resource Group'
        azureResourceManagerConnection: 'NewAzureConnection'
        subscriptionId: 'xxxxxx-xxxx-xxx-xxxxxxxx03'
        action: 'Create Or Update Resource Group'
        resourceGroupName: '$(ResourceGroupUAT)'
        location: '$(Location)'
        templateLocation: 'Linked artifact'
        csmFile: '$(System.DefaultWorkingDirectory)/adf-xxxxabric-dev/ARMTemplateForFactory.json'
        csmParametersFile: '$(System.DefaultWorkingDirectory)/adf-xxxxxx-dev/ARMTemplateParametersForFactory.json'
        overrideParameters: '-factoryName $(DataFactoryUAT)'
        deploymentMode: 'Incremental'

I when I run the pipeline it fails on the task: AzureResourceManagerTemplateDeployment@3 with the following error: ##[error]Failed to check the resource group status. Error: {"statusCode":403}

Any thoughts on what is causing the error?

The ARM Template Settings are as follows:

I added 'Data Factory Contributer' to the Subscription and the original problem was resolved, but I now have the following issue

Answer 1

error: ##[error]Failed to check the resource group status. Error: {"statusCode":403}

The error means the service principal used in your Azure DevOps service connection does not have enough permission to perform the action.

To solve the issue, you need to add an Azure RBAC role for the service principal.

You can navigate to the Project Settings -> Service connections -> find the service connection you used -> select Manage service connection roles.

Then it will open a page for the Azure subscription in Azure portal, navigate to the Access control (IAM) -> add the service principal as a Contributor role. This is the Azure Subscription level Contributor.

Or you can navigate to the target Resource Group -> Access control (IAM) and grant the Contributor role to Service Principal. This is the Resource Group level Contributor.

Then you can re-run the Pipeline to deploy the ARM template in Azure Pipeline.

Note: To assign the role for your service principal, your user account needs to have the RBAC role e.g. Owner, User Access Administrator.