After creating a deployment pipeline specifying the resource name, all existing pipelines now require permission to deploy
We have several Yaml pipelines using the same deployment environment. A new pipeline has just been created using Yaml that specifies the resource name (as well as the environment), as we want to deploy to one VM only within that environment. This is the first pipeline we have created that specifies the resource name explicitly. All previous ones deploy to the whole environment.
displayName: Deploy
environment:
name: 'NonProd'
resourceName: 'Kermit'
resourceType: VirtualMachine
Since creating this pipeline, when running any of the other pipelines in the same environment, we are now asked to permit access to a resource before the deploy step can start. All other pipelines have been previously given permission to run in the NonProd environment.
I am struggling to understand what has changed to cause this to happen.
I am unable to find the resource that this message refers to. Therefore, I am unable to grant all current pipelines access, without running them individually. The message states Agent pool, but we have no agent pool with that name. I do know that environment 14 is the NonProd environment - but there is no resource with that name inside the environment either.
I can only assume that something has fundamentally changed in the NonProd environment, by running a pipeline that deploys only to one VM; and that the resource it is looking for is linked to that environment.
I would have hoped to have at least found the resource that the pipelines are now requiring access to.
I have tried looking for the resource in question both in the Environment and the Agent Pool. I have also tried using the graph API to locate the resource - to no avail.
Does anyone know what resource it is that the pipelines require access to - and if there a way to globally grant all pipelines access to this resource?
Update
To globally grant all pipelines access to this deployment pool resource,
I had a test with this API and managed to grant permissions for all pipelines to use the deployment pool with the sample PowerShell script below.
$organization = "YourADOOrgName"
$project = "TheProjectName"
$MyPat = 'xxxPersonalxxxAccessxxxTokenxxx'
$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$MyPat"))
$headers = @{
'Authorization' = 'Basic ' + "$B64Pat"
'Content-Type' = 'application/json'
}
$URL = "https://dev.azure.com/$organization/$project/_apis/pipelines/pipelinePermissions/agentpool/<deploymentPoolId>?api-version=7.1-preview.1"
$body = @"
{
"allPipelines": {
"authorized": true
}
}
"@
Invoke-RestMethod -Method PATCH -Uri $URL -Headers $headers -Body $Body
Please replace the deployment pool id in the placeholder with its actual value. We can find the deployment pool Id from the URL of the deployment pool corresponding to the NonProd environment in the Organization Settings.
I could reproduce the issue that once a YAML pipeline had explicitly configured the deployment job to run on a VM resource from an environment, all the old or new pipelines with deployment jobs referencing against this environment would ask for permission to use the environment corresponding deployment pool, even if the deployment jobs were NOT selecting Virtual machine resources to consume that pool.
For this, you may report the issue with reproducing steps in Developer Community - Azure DevOps, where the support team can engage the engineering group for further assistance and insights.
As a workaround at the moment to grant permissions for pipeline(s) to use that deployment pool without having to running them, you may use the request in the script below. Here is the sample PowerShell script for your reference (replace the placeholders of <deploymentPoolId> and <pipelineDefinitionIdOne> with the respective values from the URLs of your deployment pool and pipeline(s).
$organization = "YourADOOrgName"
$project = "TheProjectName"
$MyPat = 'xxxPersonalxxxAccessxxxTokenxxx'
$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$MyPat"))
$headers = @{
'Authorization' = 'Basic ' + "$B64Pat"
'Content-Type' = 'application/json'
}
$URL = "https://dev.azure.com/$organization/$project/_apis/pipelines/pipelinePermissions/agentpool/<deploymentPoolId>?api-version=7.1-preview.1"
$body =@"
{
"pipelines":[
{
"id": <pipelineDefinitionIdOne>,
"authorized":true
},
{
"id":<pipelineDefinitionIdTwo>,
"authorized":true
}
]
}
"@
Invoke-RestMethod -Method PATCH -Uri $URL -Headers $headers -Body $Body
- I want to publish a zip file and then download it directly from Azure Artifact feed. Which task will help me do that?
- Schedule Azure DevpOs pipeline with two different parameters according to the cron syntax
- Azure Mac hosted agent: installing gem install, downloading old version gems
- NU1100: Unable to resolve Azure DevOps nuget package
- How to import a zscaler certificate into Git
- How to Enable Docker layer caching in Azure DevOps
- Whats the difference between a build pipeline and a release pipeline in Azure DevOps?
- The term 'script:' is not recognized as the name of a cmdlet, function, script file, or operable program
- Unable to complete a partial restore of our Azure DevOps database
- Azure Devops Jekyll site build fails, worked previously
- Why I am receiving the error: Error: Template file pattern matches a directory instead of a file: /home/vsts/work/1/s in my yaml file pipeline file?
- Conditional dependent job in Azure Devops YAML pipelines
- Azure DevOps REST API: Match Manual Test Case steps to Test Run results?
- How to configure Azure pipeline approval check to deploy to Azure function apps?
- Is there a way to get more than 1000 Packages and versions from Azure DEVOPs Feed RESTAPI for GET Packages?
- Pipeline Shows as Failed When Successful
- Yaml manual approval step in jobs.template
- Environment variables as parameter of type object in Azure DevOps pipelines
- Skip Azure Pipeline jobs (or the whole pipeline) if change is from a merge from a specific branch
- Visual Studio 2022 can't connect to a project due to bad filters
- Azure Data Factory CI npm validate step suddenly crashing
- Error using Azure DevOps REST API and classificationnodes
- Remove TFS Connection From Visual Studio 2019
- Restricting branch creation based on Azure DevOps group permissions
- ADO - Granular Permission for Users on Team
- Dev env is skipping
- Must delete massive inadvertent checkin from remote git repo
- Job Conditions in Azure Pipelines
- Access Denied using Azure App Configuration Task in DevOps Pipeline
- Passing output variable to a template in the same job in Azure devops