CICD Pipeline is getting failed when migrating ADF pipelined from Dev ADF to Prod ADF

kks8589 106 Reputation points
2022-01-05T05:35:50.34+00:00

We have dev adf instance with all the pipelines developed and also liked services connecting to onpremise server as well as azure datalakes. So for onpremiseserver we have used shared self hosted IR of other adf instance.
Now we are migrating all the code in dev to a new instance Prod using devops pipeline
The CICD pipeline is getting failed with below error

*##[error]At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.

[error]Details:

[error]UnauthorizedIntegrationRuntimeAccess: Access denied. Unable to access shared integration runtime 'SelfHostedIR'. Please check whether this resource has been granted permission by the shared integration runtime

[error]Check out the troubleshooting guide to see if your issue is addressed: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops#troubleshooting

[error]Task failed while creating or updating the template deployment*

Could you please help us with this issue.

And also i have few queries self hosted ir is registered for a particular adf instance and when its migrated to prod,everytime it will be an issue as the reference will be of dev instance right?

Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
10,716 questions
{count} votes

1 answer

Sort by: Most helpful
  1. MartinJaffer-MSFT 26,086 Reputation points
    2022-01-05T22:00:15.483+00:00

    Hello @kks8589 and welcome back.

    CI/CD gets a little complicated when a SHIR is involved. There are a couple sorts of issues that can arise. The error message suggests this is the permission issue I describe below.

    Short answer: You need to go to the Factory 'owning' the SHIR, and grant permissions to the other Factories. Permissions are not migrated during the CI/CD process.

    Long answer and education:

    Issue: Linked SHIR vs Shared SHIR type conflict
    Only one Factory can 'own' a given SHIR at a time. The 'owning' Factory has different information about the SHIR than a Factory who links to another. This means when you try to migrate an 'owning' Factory, you are then making the new Factory contest ownership. This is bad. To get around this issue, use a third Factory as the owner so the SHIR can be shared among all environments.

    Issue: Permission
    To stop unauthorized Factories from getting access to your SHIR, you must tell the 'owning' Factory to share SHIR access to any other Factory. It keeps an allowlist. This list must be updated manually. The good news is that you only need to set this up once. The access is based upon the ID of the Factory in Azure Active Directory. If you delete and re-create a Factory, even with the same name, you would need to grant access to the new Factory.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.