skip to Main Content

I have a pipeline which executes a kv_check.yaml script saved in another Project. The kv_check.yaml script has an AzureCLI@2 Task which already has Service Connection as Input. When I run the kv_check.yaml directly from its project, everything is working fine, However when I can call kv_check.yaml as a template from a pipeline in different project, I am getting the following error:

There was a resource authorization issue: "The pipeline is not valid. Job KeyVaultCheck: Step AzureCLI input connectedServiceNameARM references service connection SC1234 which could not be found. The service connection does not exist, has been disabled or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz."

this is my kv_check.yaml script:

- name: WebhookURL
  type: string
- name: KeyVaultsToCheck
  type: string

jobs:
  - job: KeyVaultCheck
    displayName: 'KeyVault Check'
    steps:
      - checkout: self
      - task: AzureCLI@2
        displayName: 'Scanning KeyVaults'
        inputs:
          azureSubscription: '$(GLOBAL_SERVICE_CONNECTION)'
          scriptType: 'pscore'
          scriptLocation: 'scriptPath'
          scriptPath: 'helper_scripts/check_kv.ps1'
          arguments: '-WebhookURL "${{ parameters.WebhookURL }}" -KeyVaultsToCheck "${{ parameters.KeyVaultsToCheck }}"'
        env:
          GLOBAL_SUBSCRIPTION: $(GLOBAL_SUBSCRIPTION) 

and this is the pipeline where I am calling kv_check.yaml as a template

  branches:
    include:
    - develop
    - qa
    - production
  paths:   
    exclude: 
    - build_template/
    - ./*.md
    - tests/

pool:
  vmImage: 'ubuntu-20.04'

resources:
  repositories:
  - repository: templates
    type: git
    name: PLATFORM/pipeline-templates
    ref: develop

variables:
  - template: /variables/vars-global.yaml@templates
  - ${{ if eq(variables['build.SourceBranchName'], 'develop') }}:
    - template: /build_template/vars-dev.yaml
  - ${{ if eq(variables['build.SourceBranchName'], 'qa') }}:
    - template: /build_template/vars-qas.yaml
  - ${{ if eq(variables['build.SourceBranchName'], 'production') }}:
    - template: /build_template/vars-run.yaml
  - name: VAR_KEYVAULT # optional: add keyvaults here to be scanned (z.B. "kv1,kv2,kv3")
    value: "kv1,kv2"
  - name: VAR_WEBHOOK_URL
    value: "https://logic.azure.com/xxxxxxxxxxx"

schedules:
- cron: "0 0 15 * *"
  displayName: Monthly build
  branches:
    include:
    - develop


stages:
  - stage: CheckKeyVault
    jobs:
      - template: templates/Apps/kv_check.yaml@templates
        parameters:
          WebhookURL: $(VAR_WEBHOOK_URL)
          KeyVaultsToCheck: $(VAR_KEYVAULT)

The Service Connection value is stored in GLOBAL_SERVICE_CONNECTION variable in vars-global.yaml file which I have already called in the above pipeline under Variables.

I did try clicking on ‘Authorize Resource’ button on Pipeline page but that didnt work and under Project Settings on Service Connections, there is also nothing to Authorize.

Is there is a behaviour of Service Connection which I am missing or I am doing something wrong?

2

Answers


  1. The pipelines running within a Azure DevOps project can only use the service connections from in the same project and cannot from other project.

    When a pipeline calls templates from another project, it also cannot use the service connections from that project.

    For your case, you need to ensure the service connection used by the pipeline are defined and accessible within the same project as the pipeline.

    Login or Signup to reply.
  2. as a template from a pipeline in different project

    Since you are running your pipeline from a new project entirely different from the original project where the existing service connection was created, it will not be listed as an service connection in the project.

    You can either recreate it as a new service connection or share the existing one with the new project if both are in the same Azure DevOps organization.

    I would strongly advise you share service connection rather than create a new one for centralize management.

    Here are the steps you may use to do this.

    • From the original project, select the existing service connection, from the screenshot my project is (Infrastructure As A Code)

    enter image description here

    • Select the 3 dots ... in the upper right corner on the service connection, next to the Edit button and Select security.

    enter image description here

    • Find the Project Permission and hit the plus button
      enter image description here

    • Select the project where you want to share the service connection to and okay the information popped up, from the screenshot my project is (Pretty Service)
      enter image description here

    enter image description here

    • Confirm it worked just fine, When you go to the other project you can now see the shared service connection.

    enter image description here

    Let me know if you have more questions or concerns.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search