Closed jcksonhe closed 3 months ago
Nothing obvious jumps out at me. Have you reviewed this discussion? https://github.com/microsoft/powerplatform-build-tools/discussions/884
Nothing obvious jumps out at me. Have you reviewed this discussion? #884
Hey @devkeydet. Yes, I have reviewed that discussion - it's the same one I followed above. Are there any alternatives aside from using passwords in the task or client secrets through the service connection? I saw Managed Identity as an option in the Power Platform service connection, but we can't provide any authentication details?
For Managed Identity pac cli
essentially uses DefaultAzureCredential which goes through 8 step process to discover identity we can use.
For Managed Identity
pac cli
essentially uses DefaultAzureCredential which goes through 8 step process to discover identity we can use.
Thanks! Will try this.
Hmm. @jcksonhe, while the red error explains what those values should be, there should also be error text (probably not highlighted in red) in the output below the line in your screenshot.
As an example, one our test pipelines with intentionally misconfigured federation the yellow highlighted line has the full error message coming from AAD / Entra ID (though the lack of word wrap makes getting that all in a screenshot annoying as it's a long single line).
What does that text say?
The fact that the issuer text in the error you shared is being replaced by the [***]
log redaction makes that annoying to double check if you have the correct value. Note that the OrgID value there is not your CRM/PowerPlatform Org ID, but the Azure DevOps OrdID your pipeline is in. Could the perhaps be the issue?
@tehcrashxor Thanks for looking at this. I got the OrgId using this GET call, replacing OrgName
with the same name in ADO:
https://dev.azure.com/_apis/resourceAreas/79134C72-4A58-4B42-976C-04E7115F32BF?accountName={OrgName}&api-version=5.0-preview.1
As for the error, I have the exact message as you
@jcksonhe, unfortunately the important bit of that line requires scrolling further to the right.
AADSTS700211
appears to be the error code for having a wrong value for the issuer.
(AADSTS700213
- error for wrong subject, AADSTS70025
- error for no federated credentials on the SPN)
Making that API call for our test org returns a different GUID than that test org's Org ID.
Since the value is being redacted in the logs, you should also be able to find that value from making a Service Connection for Azure Resource Manager. Example:
Create a new service connection, selecting Azure Resource Manager
Choose Workload Identity Federation (manual)
, and hit "Next"
Fill out any name and click "Next"
Copy the Issuer field provided on that next page:
Then feel free to delete the draft ARM service connection.
We would like to make our own Service Connection behave like the Azure Resource Manager one does, providing those details at creation time. Unfortunately, that multi-stage behavior and filling in values like that is not possible Service Connections provided by an Extension as ours is; ARM's service connection is built into ADO, where they have much more flexibility to provide those details.
Thanks @tehcrashxor , will try this out and report back
Making that API call for our test org returns a different GUID than that test org's Org ID.
Since the value is being redacted in the logs, you should also be able to find that value from making a Service Connection for Azure Resource Manager. Example:
Create a new service connection, selecting
Azure Resource Manager
Choose
Workload Identity Federation (manual)
, and hit "Next"Fill out any name and click "Next"
Copy the Issuer field provided on that next page:
Then feel free to delete the draft ARM service connection.
We would like to make our own Service Connection behave like the Azure Resource Manager one does, providing those details at creation time. Unfortunately, that multi-stage behavior and filling in values like that is not possible Service Connections provided by an Extension as ours is; ARM's service connection is built into ADO, where they have much more flexibility to provide those details.
This worked!! Thank you so much @tehcrashxor!!
Hi team,
In need of some help setting up a release pipeline using the
Power Platform Import Solution
task using WIFI've followed the instructions here: https://github.com/microsoft/powerplatform-build-tools/discussions/884 But just in case I missed a step, I'll sum up what I've done:
https://vstoken.dev.azure.com/{OrgId}
sc://{OrgName}/{ProjectName}/{ServiceConnectionName}
However, in my release pipeline using the "Power Platform Import Solution" task pointing to this service connection, I get the following error:
I've quadruple-checked the Issuer and Subject Identifier - They are definitely correct. Did I miss a step or configure something else incorrectly? Any help would be greatly appreciated.
Thanks!