Missing service connection parameter

[jnus]

Hi David,

Just tried out your extension and running into issues setting the service connection. When adding using the task assistent, the service connection is not present in the yaml and intellisense cannot tell me name either. Should the service connection be added a parameter to the extension?

[DBojsen]

Hi @jnus From your screenshot, I can see that you have selected a service connection called "Freedom-ADO-AzureRM-nonProd", which is present both in the YAML (the propertys name is AzureSubscription) and in the task assistent UI. It is this service connection that will be used to establish the connection and security context for the deployment.

If I'm misunderstanding, could you please provide more context?

BR David

[jnus]

You are totally right - troubleshooting skills not that sharp yesterday ;). Still getting an auth error though. Service connection setup in ADO (and used for other deployments) and SP has contributor permission on the data factory resource. Any idea of what could be wrong? Besides the Contributor role, any other permissions needed to be set for the SP?

##[debug]VstsTaskSdk 0.11.0 commit 7ff27a3e0bdd6f7b06690ae5f5b63cb84d0f23f4
##[debug]INPUT_CONNECTEDSERVICENAMEARM: 'aaaaaaaa-811c-4eac-8d36-c462e3857a94'
##[debug]INPUT_DATAFACTORYSUBSCRIPTIONID: 'aaaaaaaa-acbe-485f-84f8-eb7b588b20c9'
##[debug]INPUT_DATAFACTORYRESOURCEGROUPNAME: 'jmn-dataplatform-rg'
##[debug]INPUT_DATAFACTORYRESOURCENAME: 'jmn-freedeom-datafactory'
##[debug]INPUT_REPOPATH: 'D:\a\1\a\DataPlatform\AzureDataFactory'
##[debug]INPUT_REMOVEOBSOLETEARTIFACTS: 'true'
##[debug] Converted to bool: True
##[debug]INPUT_TRIGGERREPLACEMENTTYPE: 'off'
##[debug]INPUT_LINKEDSERVICEREPLACEMENTSTYPE: 'off'
##[debug]INPUT_KEYVAULTLSGTONE: 'no'
##[debug]INPUT_SHIRGTONE: 'no'
##[debug]ENDPOINT_URL_aaaaaaaa-811c-4eac-8d36-c462e3857a94: 'https://management.azure.com/'
##[debug]ENDPOINT_AUTH_aaaaaaaa-811c-4eac-8d36-c462e3857a94: '********'
##[debug]ENDPOINT_DATA_aaaaaaaa-811c-4eac-8d36-c462e3857a94: '{"environment":"AzureCloud","scopeLevel":"Subscription","subscriptionId":"aaaaaaaa-acbe-485f-84f8-eb7b588b20c9","subscriptionName":"FreedomNonProduction","creationMode":"Manual","environmentUrl":"https://management.azure.com/","galleryUrl":"https://gallery.azure.com/","serviceManagementUrl":"https://management.core.windows.net/","resourceManagerUrl":"https://management.azure.com/","activeDirectoryAuthority":"https://login.microsoftonline.com/","environmentAuthorityUrl":"https://login.windows.net/","graphUrl":"https://graph.windows.net/","microsoftGraphUrl":"https://graph.microsoft.com/","managementPortalUrl":"https://manage.windowsazure.com/","armManagementPortalUrl":"https://portal.azure.com/","activeDirectoryServiceEndpointResourceId":"https://management.core.windows.net/","sqlDatabaseDnsSuffix":".database.windows.net","AzureKeyVaultDnsSuffix":"vault.azure.net","AzureKeyVaultServiceEndpointResourceId":"https://vault.azure.net","StorageEndpointSuffix":"core.windows.net","EnableAdfsAuthentication":"false"}'
##[error]Unable to complete because of exception
##[debug]Processed: ##vso[task.logissue type=error;]Unable to complete because of exception
##[error]Unknown error while authenticating to the DataFactory instance
##[debug]Processed: ##vso[task.logissue type=error;]Unknown error while authenticating to the DataFactory instance
##[error]   at DBojsen.DataFactory.Application.AuthenticationHelper.GetAdfClient(String AdfSubscriptionId, String AdfResourceGroupName, String AdfResourceName) in D:\a\1\s\DataFactory\DBojsen.DataFactory\DBojsen.DataFactory.Application\DataFactory\AuthenticationHelper.cs:line 43
##[debug]Processed: ##vso[task.logissue type=error;]   at DBojsen.DataFactory.Application.AuthenticationHelper.GetAdfClient(String AdfSubscriptionId, String AdfResourceGroupName, String AdfResourceName) in D:\a\1\s\DataFactory\DBojsen.DataFactory\DBojsen.DataFactory.Application\DataFactory\AuthenticationHelper.cs:line 43
   at DBojsen.DataFactory.Deployment.Program.RunWithOptions(CommandLineOptions opt) in D:\a\1\s\DataFactory\DBojsen.DataFactory\DBojsen.DataFactory.Deployment\Program.cs:line 197
##[debug]Processed: ##vso[task.logissue type=error;]
##[debug]Caught exception from task script.
##[debug]Error record:
##[debug]D:\a\_tasks\DBojsenDataFactoryDeployment_e15848e4-4d49-4214-ba6d-7ec15f56197e\0.9.7\deploy.ps1 : Errors occurred while deploying
##[debug]At line:1 char:1
##[debug]+ . 'D:\a\_tasks\DBojsenDataFactoryDeployment_e15848e4-4d49-4214-ba6d-7 ...
##[debug]+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##[debug]    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
##[debug]    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,deploy.ps1
##[debug] 
##[debug]Script stack trace:
##[debug]at <ScriptBlock>, D:\a\_tasks\DBojsenDataFactoryDeployment_e15848e4-4d49-4214-ba6d-7ec15f56197e\0.9.7\deploy.ps1: line 119
##[debug]at <ScriptBlock>, <No file>: line 1
##[debug]at <ScriptBlock>, <No file>: line 22
##[debug]at <ScriptBlock>, <No file>: line 18
##[debug]at <ScriptBlock>, <No file>: line 1
##[debug]Exception:
##[debug]Microsoft.PowerShell.Commands.WriteErrorException: Errors occurred while deploying

[jnus]

Or is there a parameter to increase the logging verbosity I might use to troubleshoot this issue?

[DBojsen]

Hi again I can see I need to improve the output, when there is an authentication error.

I have not seen issues with this step, unless I accidentally mixed things up and tried to use the Dev service connection to deploy to the test resource or something similar.

Could you double check that the you have the right match, Service Connection -> Service Principal -> RBAC permissions on ADF, or perhaps even try to recreate the service connection and use the new one?

[jnus]

Hi Ok - so I've created a sample in my own subscription, setting up the service connection from scratch and everything worked on the first try. So there's definitely something off with the permissions in the original tenant. Creating a new service connection here, making sure it's contributor on the resource, still gives the auth error though. There are a couple of differences I'm seeing:

1. In my own subscription, the SP created is given the name <subscription>-<service-connection name>-<subscription id>. In the customer tenant I'm seeing <company name>-POS-Solutions-Commerce-<subscription id>
2. In my tenant, I'm set the be the owner of the enterprise app being created by ADO. In the customer tenant, there are no owners

There might be some Azure policies I'm not aware of at the customer, so I'll look into that. If you have any idea how to troubleshot this, feel free to pitch in ;)

[jnus]

Got it working and it was due to a permission issue as you mentioned. Had multiple SP's with the same name, hence the confusion. Thanks!

[DBojsen]

Hi @jnus

Glad you got it working.
I'll keep the issue open, to track the necessary improvement of the output when this task fails.