Yesterday, I set up a service connection between our Azure DevOps Team Project and our Azure Subscription. We are going to set up a CI/CD deployment pipeline for some web services we are working on.
First, I used Windows Terminal to connect to my Azure Cloud Shell. I had already configured Windows Terminal for this, but here’s how if you need to do it.
If you would prefer not to use the Windows Terminal, you can always connect to the Cloud Shell inside the Azure portal.
I think the Azure CLI is the easiest way to create service principals. If you need a refresher, a service principal is an identity that a service (in this case, the Azure DevOps Service Connection) runs as. The Azure CLI has a command just for this common task. You can also create service principals using PowerShell or the portal. With PowerShell, use the New-AzADServicePrincipal cmdlet. Configuring in the portal takes a bunch of clicking around; I’m not going to show how to do that that. Using the Azure CLI or PowerShell is much easier that clicking a bunch of stuff in the Azure portal.
The resource group already existed, so I used the following Azure CLI command to create the service principal.
|
1 2 3 |
az ad sp create-for-rbac –-name <resource group name> ` –-role contributor ` -–scopes /subscriptions/<subscription id>/resourceGroups/<resource group name> |
This created a service principal named bedrock-devops that had contributor rights on the resource group that contains our project infrastructure.
Note, I don’t know why it reports that it found an existing application instance; I created this service principal from scratch.
With this information, I was able to create the Service Connection in Azure DevOps.
I picked Azure Resource Manager and clicked Next.
I filled out the form supplying the information.
The Authentication fields are a little tricky because the names of the data that goes into each field is different in each data source. Use the following table to help get the right value into each of the fields.
| Service Connection Screen | JSON returned by az command | Azure portal |
| Service Principal Id | appId | Application (client) Id |
| Service principal key | password | Client Secret |
| Tenant ID | tenantId | Directory (tenant) ID |
After everything is configured, click the Verify button. You should see the Verification Succeeded message. If you don’t, double check that the Service Principal Id, Service principal key and Tenant ID match the appId, password and tenantId from the JSON returned by the az command.
Fill out the rest of the fields, giving the Service connection a name and click Verify and Save.
Finally, in your pipeline yml file, you use the AzureResourceGroupDeployment@2 task to deploy an ARM template to Azure. It takes a parameter named ConnectedServiceName which should be set to the value you added to the ServiceConnectionName field. Here is an example.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
- task: AzureResourceGroupDeployment@2 displayName: Azure Infrastructure inputs: ConnectedServiceName: 'Azure Connection' azureSubscription: $(subscriptionId) resourceGroupName: $(resourceGroupName) location: $(location) action: 'Create Or Update Resource Group' templateLocation: 'Linked artifact' csmFile: '$(System.DefaultWorkingDirectory)/Source/Deployment/azuredeploy.json' csmParametersFile: '$(System.DefaultWorkingDirectory)/Source/Deployment/azuredeploy.parameters.json' deploymentMode: 'Incremental' |