Approve a pipeline to run on a specific agent pool, avoiding to manually approve on the UI

[clemlesne]

Preconditions

• [X] No need to upgrade Python SDK or the Python SDK is ready.

Related command

az pipelines run \
  --commit-id "xxx" \
  --name "xxx"

Resource Provider

N/A

Description of Feature or Work Requested

I'm automating integration testing with Azure DevOps Pipelines for on-premise agent containers. This requires me to create projects & pipelines, execute them, and confirm the result.

Each time a new pipeline is created, and a first run is programmed, the pipeline never runs and a message "This pipeline needs permission to access a resource before this run can continue" is displayed. This requires a manual intervention on two buttons.

This behaviour disrupts a lot of the workflow. I would need a way to authorize a pipeline to run on a specific agent pool.

Minimum API Version Required

N/A

Swagger PR link / SDK link

N/A

Request Example

No response

Target Date

2023-03-01

PM Contact

N/A

Engineer Contact

N/A

Additional context

In the Azure DevOps web interface, this call is executed: https://learn.microsoft.com/en-us/rest/api/azure/devops/approvalsandchecks/pipeline-permissions/update-pipeline-permisions-for-resource?view=azure-devops-rest-7.1&tabs=HTTP.

HTTP call:

PATCH
https://dev.azure.com/azure-pipelines-agent/a4830acb-f3a3-45b5-b555-d21a240eeb36/_apis/pipelines/pipelinePermissions/queue/80
Authorization: Bearer xxx

Request body:

{
    "resource": {
        "type": "queue",
        "id": "80"
    },
    "pipelines": [
        {
            "id": 9,
            "authorized": true,
            "authorizedBy": {
                "displayName": "Clémence Lesné",
                "id": "970e1056-90cc-66a2-aa4e-1b4b9efc4967",
                "uniqueName": "clesne@microsoft.com",
                "descriptor": "aad.OTcwZTEwNTYtOTBjYy03NmEyLWFhNGUtMWI0YjllZmM0OTY3"
            },
            "authorizedOn": "/Date(1703957638150)/"
        }
    ]
}

Related:

• https://stackoverflow.com/questions/77040694/set-azure-devops-pipeline-permissions-via-api
• https://github.com/MicrosoftDocs/azure-devops-docs/issues/11660

[yonzhan]

Thank you for opening this issue, we will look into it.

[clemlesne]

I succeeded in executing the call with az devops invoke.

Nevertheless:

• It could be useful to create a dedicated command, like az pipelines permissions enable --name=xxx --queue=xxx (plus az pipelines permissions disable [args] and az pipelines permissions show [args])
• At minimum, procedures should be documented somewhere, I was forced to retro-engineer the Azure CLI to make that working

Script:

#!/bin/bash
set -e

pipeline_id="xxx"
project_id="xxx"
queue_id="xxx"

# Store body in a temp file
tmp_file=$(mktemp -t XXXXXX.json)

# Add body content
cat <<EOF > ${tmp_file}
{
  "pipelines": [{
    "authorized": true,
    "id": "${pipeline_id}"
  }]
}
EOF

# Execute command
az devops invoke \
  --api-version 7.1-preview \
  --area pipelinePermissions \
  --http-method PATCH \
  --in-file ${tmp_file} \
  --resource pipelinePermissions \
  --route-parameters project=${project_id} resourceType=queue resourceId=${queue_id} \
    > /dev/null

# Cleanup
rm -f ${tmp_file}