Using Service Connections in Azure DevOps

I was recently setting up a build pipeline in Azure DevOps and realised I didn’t have access to the Azure resources to be able to pick the app service as a deployment target.
The easy way would be to get my account access to the Azure resources, but:

  1. I’d be the only one with the ability to change those deployment options, or at least new devs would to get access as well before they could.
  2. The onsite guy for that kind of access was away.

I had access to an account that had Azure resource access, so there had to be a way to use it in the pipeline somehow.
Turns out there is, and it’s via the Azure Service Connections. Most of this is based off this tutorial from Microsoft.

They use applications and service principals and the like to connect to Azure Resources (or a multitide of other services like Github), and provide them for Pipeline access.

So to illustrate the situation:

Situation is two accounts with different access
Situation is two accounts with different access

Starting with the Azure Portal account, let’s create an app registration to represent our connection to Azure AD.

Creating an App Registration in AD
Creating an App Registration in AD
Signon url is not important here
Signon url is not important here

Then we need to assign that registration to the subscription containing the resources we want via Access Control.

Assigning app registration to subscription
Assigning app registration to subscription
Creating the role assignment
Creating the role assignment

That’s the basic plumbing. There’s security and stuff that can be added at those various steps (e.g. who’s allowed to access the app registration, etc), but that’s all I needed.

Now we need to get some bits that Azure DevOps needs to make the link.

Get the service connection ID (App registration ID)
Get the service connection ID (App registration ID)
AAD Tenant ID
AAD Tenant ID

Now using the Azure DevOps account in Azure DevOps:

Creating a new service connection in Azure DevOps
Creating a new service connection in Azure DevOps

NOTE the slight catch here is that we need to go to the advanced view in order to specify the app registration we created.

Additional steps when creating the service connection
Additional steps when creating the service connection

And that’s done! Now your pipelines can access the Azure resources.

Tags: azure