Question

This "service connection" concept in Azure Devops is perplexing. I want to construct a service connection so that I can connect to Azure and use a pipeline to deploy to my App Service.

My subscription isn't shown in the drop down menu, and I'm getting useless messages like "Failed to retrieve the Json Web Token(JWT)" or "Failed to query service connection API... AuthorizationFailed." What actions do I need to take to establish a service connection?

Answer 1

to create a service connection for Azure in Azure DevOps with pictures you need to have following perrequisites:

• An Azure subscription
• An app service or other resource to create the service connection for

In Azure portal, go to Azure Active Directory | App registrations (in sidebar) | New registration.

Give a name for the app registration. Don't worry about the other settings; leave them default. Click Register. Pro-tip: Prefixing related resources and entities with your project name (like <project name>-appregistration) will help you quickly find them later.

We need to give your app registration permission to access and deploy to your App Service or whatever resource you wish to deploy to.

Go to the App Service page | Access control (IAM) | + Add | Add role assignment. Fill out the fields:

• Role: Contributor
• Assign access to: Azure AD user, group, or service principal
• Select: search for and select the app registration you just made

Click save. You should see the app registration get added as a Contributor.

We also need to give read permissions for your subscription. I have no idea why it requires read access to subscriptions, but the connection fails if you don't do this.

Similar to the last step, go to your subscription (the one you are using for your app service) | Access control (IAM) | + Add | Add role assignment.

• Role: Reader
• Assign access to: Azure AD user, group, or service principal
• Select: select the app registration, then save.

Create service connection

Go to your project in Azure DevOps, then Project settings in the sidebar | Service connections | New service connection. Connection type is Azure Resource Manager.

Here is where I got lost before, because this interface doesn't list my subscription. But if it works for you, it should automatically get the correct variables for you, I believe. If it doesn't work, keep reading.

Click "use the full version of the service connection dialog". Here is how to fill out this complicated form.

• Connection name: choose a name (I suggest <project name>-serviceconnection)
• Environment: AzureCloud
• Scope level: Subscription
• Subscription ID: Get this from your subscription resource (see screenshot)
• Subscription name: Get this from your subscription resource
• Service principal client ID: App registration's Application (client) ID
• Service principal key: In the app registration page, go to Certificates & Secrets.
  • Create a secret and copy the secret value. Expiration date of Never is fine.
  • Do not store this string; you can always create a new one.
• Tenant ID: App registration's Directory (tenant) ID
• Allow all pipelines to use this connection checkbox: Turn this on for testing; you can change it later.

Click "Verify connection". It should say "Verified" in green. If the connection failed and you are sure you followed all the steps, wait 10 minutes and try again. After it's verified, you can click OK.

To use the service connection, reference the connection name you gave it earlier, in the correct field of the pipeline task. When you first try to run the pipeline, the build screen might show a message saying the connection isn't authorized.

Click "Authorize resources". You can see authorized pipelines in the Security page of the service connection. Run the build manually via the Queue button.

Now you can use the service connection in your pipeline.

If you are interested in learning more then checkout Edureka's DevOps Training Course and Azure Training.