ERROR: TF400813: The user 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.

[arindam0310018]

Hello Team,

I am trying to create DevOps Service Connection (Type AzureRM) using Azure DevOps Pipelines. When I am Creating manually running commands using Powershell, it works. But when I am putting it as a Powershell Pipeline Task (In line Script), it throws the below Error:- ERROR: TF400813: The user 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.

Here goes the below details:-

1. Commands which I ran manually and is successfully Executed -

---

az devops login (Will ask for PAT Token)

az devops configure --defaults organization= project=

$passwd="Enter Service Principal Secret"

$env:AZURE_DEVOPS_EXT_AZURE_RM_SERVICE_PRINCIPAL_KEY=$passwd

az devops service-endpoint azurerm create --azure-rm-service-principal-id --azure-rm-subscription-id --azure-rm-subscription-name --azure-rm-tenant-id --name --org --project

az devops service-endpoint list --output table

$id = az devops service-endpoint list --query "[?name==''].id" -o tsv

az devops service-endpoint update --id $id --enable-for-all

---

2. Powershell Pipeline Task (In line Script) -

---

• task: PowerShell@2 displayName: CREATE SERVICE CONNECTION IN DEVOPS inputs: targetType: 'inline' script: |
  az devops service-endpoint azurerm create --azure-rm-service-principal-id --azure-rm-subscription-id --azure-rm-subscription-name --azure-rm-tenant-id --name --org --project $id = az devops service-endpoint list --query "[?name==''].id" -o tsv az devops service-endpoint update --id $id --enable-for-all env: AZURE_DEVOPS_EXT_AZURE_RM_SERVICE_PRINCIPAL_KEY: "Enter Service Principal Secret"

---

Can you let me know what is the issue here with the pipeline...

Many Thanks Regards, Arindam Mitra

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: fa18e6e0-743a-1e6f-23a7-26460e2f9f27
• Version Independent ID: f05be940-a104-7cc4-1cd8-88046d3eac49
• Content: az devops service-endpoint azurerm
• Content Source: latest/docs-ref-autogen/devops/service-endpoint/azurerm.yml
• GitHub Login: @rloutlaw
• Microsoft Alias: routlaw

[yonzhan]

route to CXP team

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @v-anvashist, @V-hmusukula.

Issue Details

---

Hello Team, I am trying to create DevOps Service Connection (Type AzureRM) using Azure DevOps Pipelines. When I am Creating manually running commands using Powershell, it works. But when I am putting it as a Powershell Pipeline Task (In line Script), it throws the below Error:- ERROR: TF400813: The user 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource. Here goes the below details:- 1. Commands which I ran manually and is successfully Executed - ******************************************** az devops login (Will ask for PAT Token) az devops configure --defaults organization= project= $passwd="Enter Service Principal Secret" $env:AZURE_DEVOPS_EXT_AZURE_RM_SERVICE_PRINCIPAL_KEY=$passwd az devops service-endpoint azurerm create --azure-rm-service-principal-id --azure-rm-subscription-id --azure-rm-subscription-name --azure-rm-tenant-id --name --org --project az devops service-endpoint list --output table $id = az devops service-endpoint list --query "[?name==''].id" -o tsv az devops service-endpoint update --id $id --enable-for-all ******************************************** 2. Powershell Pipeline Task (In line Script) - ******************************************** - task: PowerShell@2 displayName: CREATE SERVICE CONNECTION IN DEVOPS inputs: targetType: 'inline' script: | az devops service-endpoint azurerm create --azure-rm-service-principal-id --azure-rm-subscription-id --azure-rm-subscription-name --azure-rm-tenant-id --name --org --project $id = az devops service-endpoint list --query "[?name==''].id" -o tsv az devops service-endpoint update --id $id --enable-for-all env: AZURE_DEVOPS_EXT_AZURE_RM_SERVICE_PRINCIPAL_KEY: "Enter Service Principal Secret" ******************************************** Can you let me know what is the issue here with the pipeline... Many Thanks Regards, Arindam Mitra --- #### Document Details ⚠ *Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.* * ID: fa18e6e0-743a-1e6f-23a7-26460e2f9f27 * Version Independent ID: f05be940-a104-7cc4-1cd8-88046d3eac49 * Content: [az devops service-endpoint azurerm](https://learn.microsoft.com/en-us/cli/azure/devops/service-endpoint/azurerm?view=azure-cli-latest#az-devops-service-endpoint-azurerm-create) * Content Source: [latest/docs-ref-autogen/devops/service-endpoint/azurerm.yml](https://github.com/MicrosoftDocs/azure-docs-cli/blob/main/latest/docs-ref-autogen/devops/service-endpoint/azurerm.yml) * GitHub Login: @rloutlaw * Microsoft Alias: **routlaw**

Author:	arindam0310018
Assignees:	-
Labels:	`Service Attention`, `customer-reported`, `DevOps`, `Auto-Assign`
Milestone:	-

[navba-MSFT]

@arindam0310018 Removing CXP attention label and adding the Service team to assist on Devops issue.

@v-anvashist, @V-hmusukula Could you please look into this and provide an update ? Thanks in advance.

[v-soujanya]

@arindam0310018 Are you facing this issue only in the above-mentioned pipeline task?

[arindam0310018]

Hello @v-soujanya

Yes, I am facing issue with the above mentioned pipeline task.

Below is pipeline Task snippet -

Create Service Connection in Az DevOps:-

- task: PowerShell@2
  displayName: CREATE SERVICE CONNECTION IN DEVOPS
  inputs:
    targetType: 'inline'
    script: |         
     az devops service-endpoint azurerm create --azure-rm-service-principal-id $(${{ parameters.SPINAME }}-id) --azure-rm-subscription-id ${{ parameters.SubscriptionID }} --azure-rm-subscription-name ${{ parameters.SubscriptionName }} --azure-rm-tenant-id ${{ parameters.TenantID }} --name ${{ parameters.SPINAME }} --org $(DevOpsOrganisation) --project $(DevOpsProjName) 
     $id = az devops service-endpoint list --query "[?name=='${{ parameters.SPINAME }}'].id" -o tsv
     az devops service-endpoint update --id $id --enable-for-all
  env: 
    AZURE_DEVOPS_EXT_AZURE_RM_SERVICE_PRINCIPAL_KEY: $(${{ parameters.SPINAME }}-passwd) 

Error Screenshot below:-

Many Thanks Regards, Arindam Mitra

[v-anvashist]

Hi @arindam0310018 We are suspecting this as permission/PAT token expired issue.

Could you please check are u able to run some another pipelines?

[arindam0310018]

Hello @v-anvashist, I have tried earlier resetting the PAT. It gives me the same error. Please note that I have Stored PAT in KV and Fetching as pipeline task.

Many Thanks Regards, Arindam Mitra

[v-anvashist]

@arindam0310018 Let me conclude some points.

1. You are facing access issue in all the pipelines not only with above mentioned one. Please confirm
2. You are not able to reset your PAT token and same access issue you are facing in PAT resetting. Please confirm

Thanks, Anjali

[arindam0310018]

Hello @v-anvashist Thank you for the concluded points. My Answer inline below.

1. I am facing access issue with only this Pipeline.
2. There is no problem in resetting PAT. In order to resolve this current issue, I reset the PAT, update the new PAT to KV and then executed the pipeline. Same issue was encountered.

If it would help to reproduce the issue on your side, happy to share the entire YAML redacting my resource details. Please let me know

Many Thanks Regards, Arindam Mitra

[arindam0310018]

Hello @v-anvashist

Another Observation (Forgot to mention, apologies...) When I am running the same set of Devops CLI commands (which I am using in the Pipeline task as inline script) from Powershell Terminal, it works !!!

Many Thanks Regards, Arindam Mitra

[arindam0310018]

Hello @v-anvashist Is there any update ? DO you need any further information ?

Many Thanks Regards, Arindam Mitra

[v-anvashist]

@arindam0310018 Could you please share the YAML to repro the issue?

Thanks, Anjali

[arindam0310018]

Hello @v-anvashist,

Here you go - https://github.com/arindam0310018/12-Oct-2022-DevOps__Create-DevOps-Service-Connections

Many Thanks Regards, Arindam Mitra

[frankzomer]

@arindam0310018 This , almost sure, is due to do a Azure AD Conditional Access Policy. It explains why it works locally (allowed IP list ? VPN?) and not via Azure DevOps, the runners use public ip space of MS.

[arindam0310018]

Hello @frankzomer Thank you for looking into the issue.

I have another Pipeline which is creating DevOps Project, Repos, Initializing Repos, create Pipeline folders, create pipeline environments, and configure Build Validation for Main Branch using DevOps CLI and REST API. It is also using PAT and MS Build Agent. it works perfectly fine when I execute locally over Powershell terminal or when I am running over Azure DevOps Pipelines. Please check the Code and Blog. Code: https://github.com/arindam0310018/08-Apr-2022-DevOps__Power-Of-DevOps-CLI-And-REST-API Blog: https://dev.to/arindam0310018/power-of-devops-cli-and-rest-api-13lo

As this is working, I assume I should be able to create a Service Connection in DevOps using Pipelines as I am using Same PAT token and Devops CLI.

Question for you -

• Could you make it running with the code provided by me in your environment ?
• If yes, can you explain me your environment, how it is setup ?

Many Thanks Regards, Arindam Mitra

[arindam0310018]

Hello @frankzomer @v-anvashist If time permits, please update Awaiting for your response!!!

Many Thanks Regards, Arindam Mitra

[arindam0310018]

Hello @frankzomer @v-anvashist

Quick update on my side as what else I did as a part of Tshoot -

I added the Service Principal (which is added as a Service Connection in DevOps) in an AAD Group and then added it in DevOps Project "Project Administrators".

Still the Same Error.

Any update from your side...

Many Thanks Regards, Arindam Mitra

[v-anvashist]

@arindam0310018 We also did some digging and found that the service connection of azure devOps got expired so we have repurposed the service endpoint and re-Authorized it. github.com_rohit-batra - Overview (azure.com)

And also changed the yaml to reflect the new endpoint. Azure DevOps CLI - Create Releases - Pipelines

But you are still facing the same issue so we will look into it again.

Thanks, Anjali

[arindam0310018]

Hello @v-anvashist Thank you for your reply. Please be informed that I do not have access to both the links shared.

Appreciate your next update when ever you have time.

I am too trying something in my end. Keep you updated!!!

Many Thanks Regards, Arindam Mitra

[arindam0310018]

Hello @v-anvashist Any update from your side. I have now created the Az CLi and DevOps CLI script to create devops service connection.

Have a look if time permits - https://github.com/arindam0310018/15-Nov-2022-DevOpsCLI__Create-Service-Connection

Many Thanks Regards, Arindam Mitra

[arindam0310018]

Hello @v-anvashist If time permits, Please update.

Many Thanks Regards, Arindam Mitra

[arindam0310018]

Hello @v-anvashist Can you please update.

Many Thanks Regards, Arindam Mitra

[arindam0310018]

Hello @v-anvashist Any update please ?

Many Thanks Regards, Arindam Mitra

[v-soujanya]

@arindam0310018 Hi, stepping here on behalf of @v-anvashist as she is OOF, let me check the previous discussions and provide the update for the same. Thanks

[Arvindgade]

@arindam0310018 Are you still facing the same issue?

[arindam0310018]

Hello @Arvindgade,

Thank you for picking this topic. Apologies for the delayed response.

Yes, the issue still exists.

Many Thanks Regards, Arindam Mitra

[MattMHB]

EDIT : I wasn't setting the header authorisation. With that set it now works

[arindam0310018]

Hello @MattMHB, /Cc: @Arvindgade

Happy New Year 2023.

Can you elaborate more. I did not follow. Could you fix the issue ? If Yes, can you share details which can help me (Similar to what I did earlier)

Many Thanks Regards, Arindam Mitra

[arindam0310018]

Hello @MattMHB, /Cc: @Arvindgade

Can you elaborate more. I did not follow. Could you fix the issue ? If Yes, can you share details which can help me (Similar to what I did earlier)

Many Thanks Regards, Arindam Mitra

[kalalvishal]

I faceed the same issue so I used Terraform data block to retrive the PAT from Keyvault and passed it so its working for me now. Somehow when I was passing as environment variables it was not working.

[arindam0310018]

Hello @MattMHB @Arvindgade @frankzomer @v-anvashist @yonzhan and @kalalvishal, I had the Same issue for both use cases:-

1. Create Service Connection using DevOps
2. Create Azure Container Registry Service Connection using DevOps.

I have FIXED THE ISSUE for ACR Service Connection using DevOps (Point 2).

I will publish the code and blog soon.

For Point 1, I have Yet to test.

Keep you updated.

Thank you Best Regards, Arindam Mitra

[Psychosapien]

Hi there, I am also having this same issue - however I'm getting it when creating a project.

I can run the terraform from local powershell fine but as soon as I run it from the ADO pipeline, I get the following error:

│ Error: Error converting terraform data model to Azure DevOps project reference: TF400813: The user 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.

I'm just passing my pat token via the variables in the ADO pipeline, I am presuming something about the PAT is not translating.

It also seems to run fine if I hardcode the PAT token (of course this isn't the answer) so it definitely seems to be an issue with the pat token being passed in via variable.

I'm passing it in with:

_terraform apply -auto-approve -var="aad_client_id=$(aad_client_id)" -var="aad_client_secret=$(aad_client_secret)" -var="pat_token=${pat_token}"_

Look forward to any advice!

[Psychosapien]

Hi there, I am also having this same issue - however I'm getting it when creating a project.

I can run the terraform from local powershell fine but as soon as I run it from the ADO pipeline, I get the following error:

│ Error: Error converting terraform data model to Azure DevOps project reference: TF400813: The user 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.

I'm just passing my pat token via the variables in the ADO pipeline, I am presuming something about the PAT is not translating.

It also seems to run fine if I hardcode the PAT token (of course this isn't the answer) so it definitely seems to be an issue with the pat token being passed in via variable.

I'm passing it in with:

_terraform apply -auto-approve -var="aad_client_id=$(aad_client_id)" -var="aad_client_secret=$(aad_client_secret)" -var="pat_token=${pat_token}"_

Look forward to any advice!

I've actually just discovered my issue - I had wrapped the pat_token variable in curly braces instead of normal brackets... (doh!)

This has however, at least confirmed that this is an issue with the PAT token being passed incorrectly (DevOps thinks you are connecting anonymously).

I hope my silly mistake can help to shine some light on the issue!

[arindam0310018]

Hello @Psychosapien Thank you for the update. Much appreciated. I will test your code as well.

Many Thanks Regards, Arindam Mitra

[arindam0310018]

Hello @MattMHB @Arvindgade @frankzomer @v-anvashist @yonzhan @kalalvishal and @Psychosapien

If you are using DevOps and Az CLI to create ACR Service Connection, then please bear in mind, passing PAT as Pipeline Runtime variable or Fetching it from Key Vault and use it as Environmental variables will not work and it will throw Error.

Below is the Fix:-

$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$(PAT)"))

$header = @{ 'Authorization' = 'Basic ' + $B64Pat 'Content-Type' = 'application/json' }

Where I am fetching the PAT Variable from Key Vault.

Below is how the devops pipeline task looks like to download secrets and use as environmental variables:-

- task: AzureKeyVault@2 displayName: Fetch all Secrets from Keyvault inputs: azureSubscription: '$(ServiceConnection)' KeyVaultName: '${{ parameters.KVNAME }}' SecretsFilter: '*' RunAsPreJob: false

I still need to check if I am able to create DevOps Service Connection using -

• Az Devops and AZ CLI
• Az DevOps and Terraform.

Post that, I will update here and then publish a detailed blog for each of the use case.

Many Thanks Regards, Arindam Mitra

[arindam0310018]

Hello @MattMHB @Arvindgade @frankzomer @v-anvashist @yonzhan @kalalvishal and @Psychosapien

Update from my side -

1. check out my blog on Creating ACR Service Connection using Azure Devops - https://github.com/arindam0310018/10-Apr-2023-DevOps__Setup-Az-Container-Registry-Service-Connection

2. Check out my code in IaC Onboarding where I have created AzureRM Service Connection using Azure Devops Pipelines - https://github.com/arindam0310018/31st-Aug-2023-Devops__IaC-Onboarding-In-Azure-Devops/blob/main/azure-pipelines-IaC-onboarding-v1.0.yml (Specifically look from Line 396)

I will keep making Progress and share you my update.

I request the same from your side.

Have a nice day.

Many Thanks Regards, Arindam Mitra

[sethlivingston]

This happens to me when I copy and paste a PAT into the az devops login command. If I type the PAT in manually, then it works fine. Maybe a control character or encoding issue?