search

microsoft / azure-pipelines-tasks

Tasks for Azure Pipelines
https://aka.ms/tfbuild
MIT License
3.51k stars 2.62k forks source link

[Question]: @AzureFileCopy6 cannot find the storage account with WIF service connection if the UMI is in different subscription #20690

Open hancheng-ms opened 13 hours ago

hancheng-ms commented 13 hours ago

Task name

AzureFileCopy

Task version

6.248.3

Environment type (Please select at least one enviroment where you face this issue)

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

MMS windows 2022

Question

My pipeline to upload file to blob storage hit this error: ##[error]Storage account: csdngpstorage not found. The selected service connection 'Service Principal' supports storage accounts of Azure Resource Manager type only.

I think the UMI has all necessary permissions (reader, container blob contributor and so on) to access this subscription. The task tried to set Set-AzContext against a different subscription where the storage account was not created in. This reminded me to an issue I hit before in my custom az script. Because we manually created the WIF service connection and use this single UMI to access all azure subscriptions in MS tenant, we just need to add the umi to be "reader" of these subs and it worked well for most devops pipelines. Except I need to add one line to select the right subscription context to the azCLI script to make it pick right subscription need to work on.

Does AzureFileCopy support this scenario? How can I pick the subscription in the AzureFileCopy? Do we need a feature change to this pipeline task?
v-schhabra commented 6 hours ago

Hi @hancheng-ms Thanks for reporting this issue. Could you pls share the complete pipeline logs by adding the variable "system.debug" to true?