Share via

Azure pipeline(service connection)

hamza ali 65 Reputation points
2024-02-14T10:36:23.8966667+00:00

Hello everyone,
I am using Terraform in Azure DevOps to create ACR and then trying to push an image to ACR(first build and then push) using YAML syntax. It is providing me an error which is related to authorization(service connection to push the image to ACR). Is there any way I can dynamically create the service connection(service principal) through YAML syntax after the ACR is created in the first build job?

Community Center Not monitored

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. hamza ali 65 Reputation points
    2024-02-14T11:21:40.4366667+00:00

    @Vinodh247 Thanks for the answer Vindoh.
    This is my yaml pipeline syntax and I dont thing that what you are recommending will work in this case.
    I have created a service connection(principal) with the name of the azure container registry.

    
trigger:
- main



stages:
- stage: Build
  displayName: Build and push stage
  
  jobs:
  - job: TerraformJob
    displayName: 'Terraform Apply'
    pool:
      vmImage: 'ubuntu-latest'

    steps:
    - task: TerraformInstaller@1
      inputs:
        terraformVersion: 'latest'

    - task: TerraformTaskV4@4
      inputs:
        provider: 'azurerm'
        command: 'init'
        backendServiceArm: 'new-spfi'
        backendAzureRmResourceGroupName: 'Hamza_Personal_project'
        backendAzureRmStorageAccountName: 'aksterrdeployement'
        backendAzureRmContainerName: 'akswli'
        backendAzureRmKey: 'terraform.tfstate'

    - task: TerraformTaskV4@4
      inputs:
        provider: 'azurerm'
        command: 'plan'
        commandOptions: '-out=tfplan'
        environmentServiceNameAzureRM: 'new-spfi'

    - task: TerraformTaskV4@4
      inputs:
        provider: 'azurerm'
        command: 'apply'
        commandOptions: 'tfplan'
        environmentServiceNameAzureRM: 'new-spfi'



  - job: Build
    dependsOn: TerraformJob
    displayName: Build
    pool:
      vmImage: 'ubuntu-latest'



    - task: Docker@2
      displayName: Build and push an image to container registry
      inputs:
        containerRegistry: 'MineTeridtry'
        repository: 'hamcontainerRegistry'
        command: 'buildAndPush'
        Dockerfile: '$(Build.SourcesDirectory)/frontend/Dockerfile'
    0 comments
  2. Achraf Ben Alaya 1,311 Reputation points MVP
    2024-02-14T11:30:42.2633333+00:00

    Yes, you can dynamically create a service principal (which is used for the service connection in Azure DevOps) and configure it to have the necessary permissions to push images to your Azure Container Registry (ACR). Here's a high-level approach to achieve this using YAML syntax in Azure DevOps:

    1. Create ACR using Terraform: Define your Terraform script to create the Azure Container Registry in your YAML pipeline.
    2. Configure Service Principal creation: After successfully creating the ACR, you can use Azure CLI or Azure PowerShell task in your pipeline to dynamically create a service principal with the required permissions. Make sure to grant the service principal the necessary permissions to push images to the ACR. You can do this using the az ad sp create-for-rbac command in Azure CLI or New-AzADServicePrincipal in Azure PowerShell.
    3. Store Service Principal credentials: Once the service principal is created, store its credentials securely. You can use Azure Key Vault or Azure DevOps variable groups to store sensitive information like service principal credentials. Create Service Connection: Use the stored service principal credentials to create a service connection in your Azure DevOps project. This service connection will be used to authenticate and push images to the ACR.

    Here's a simplified example of what your YAML pipeline might look like:

    jobs:
- job: CreateACR
  steps:
  - task: TerraformTask@2
    inputs:
      # Terraform configuration to create ACR
  - script: |
      az login --service-principal -u <service principal ID> -p <service principal password> --tenant <tenant ID>
      az acr login --name <acr name>
    displayName: 'Login to ACR'
  # Add more steps as needed to build and push images to ACR

- job: CreateServicePrincipal
  dependsOn: CreateACR
  steps:
  - script: |
      # Azure CLI or PowerShell command to create service principal
      # Store the credentials securely (e.g., in Azure Key Vault or variable groups)
    displayName: 'Create and store service principal credentials'

- job: PushToACR
  dependsOn: CreateServicePrincipal
  steps:
  - task: Docker@2
    inputs:
      # Build and push Docker image to ACR

    Replace placeholders like <service principal ID>, <service principal password>, <tenant ID>, and <acr name> with actual values or variables. Remember to handle sensitive information securely and follow best practices for managing secrets in your pipeline. Additionally, ensure that the service principal has the necessary permissions to push images to the ACR.

    PS :

    Service Connections: Instead of dynamically creating a service principal in each pipeline run, consider pre-configuring a service connection in Azure DevOps with a long-lived service principal. Then, grant this service principal the necessary permissions to interact with the ACR. This can simplify pipeline configuration and management.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.