Issues Fetching Access Token in Azure DevOps Release Pipeline for Azure Synapse Workspace Deployment

RieDaniel-6883 25 Reputation points
2025-01-21T09:00:54.4766667+00:00

We build a Release Pipeline in Azure DevOps. This pipeline should deploy artifacts to an Azure Synapse Workspace (as described in this post: https://techcommunity.microsoft.com/blog/dataarchitectureblog/ci-cd-in-azure-synapse-analytics-part-4---the-release-pipeline/2034434).

In our case, the target workspace is located in a VNet. To be able to connect to it, we placed a self-hosted DevOps agent on a VM in the VNet, as described in this post: https://techcommunity.microsoft.com/blog/azuresynapseanalyticsblog/how-to-deploy-your-synapse-workspace-artifacts-to-a-managed-vnet-synapse-workspa/2764232.

Whenever we try to run the pipeline, it shows the following error:

Encountered with exception: Error: Get workspace location error: Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired.

This seems to be misleading, we have checked the Service Principal multiple times. We added a service connection in DevOps with Workload Identity Federation, and that connection verifies successfully. Furthermore, the Service Principal is valid and has sufficient access rights in both Azure and Synapse.

What else can I check to find the real problem? Are there any related options or configurations in DevOps or Azure that are required to obtain the Azure token?

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
5,172 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ganesh Gurram 3,765 Reputation points Microsoft Vendor
    2025-01-24T09:58:56.8733333+00:00

    @RieDaniel-6883 - I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer

    Ask: Issues Fetching Access Token in Azure DevOps Release Pipeline for Azure Synapse Workspace Deployment

    Solution: The Synapse workspace deployment task does not support workload identity. Therefore, the service connection must use a secret for the service principal authentication.

    This documentation gave us the hint: https://learn.microsoft.com/en-us/azure/devops/pipelines/release/troubleshoot-workload-identity?view=azure-devops

    As workload identity federation is considered best practice, it would be great if Microsoft could update the Synapse workspace deployment task to support it.

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information. 

    If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue. 

    ...............................................

    Please don’t forget to Accept Answer and Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members. 

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. RieDaniel-6883 25 Reputation points
    2025-01-24T09:29:40.6333333+00:00

    We found the reason for the issue we had fetching the token:

    The Synapse workspace deployment task does not support workload identity. Therefore, the service connection must use a secret for the service principal authentication.

    This documentation gave us the hint: https://learn.microsoft.com/en-us/azure/devops/pipelines/release/troubleshoot-workload-identity?view=azure-devops

    As workload identity federation is considered best practice, it would be great if Microsoft could update the Synapse workspace deployment task to support it.

    1 person found this answer helpful.

  2. Leo Visser 321 Reputation points MVP
    2025-01-21T09:11:05.27+00:00

    Are you using the System.AccessToken (https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken) when authenticating to azure. If you do then check the permissions of the Service Principal you are using, it hould have the right permissions.
    But I expect you aren't using the accesstoken when doing the commands to do the deployment.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.