0

I have multiple agent pools that require a pipeline to request authorization. When I assign a hardcoded value like pool: STAGING to the pipeline, it stops and asks for authorization.

⚠️ This pipeline needs permission to access a resource before this run can continue to Update environments View

However, when I inject the pool name to the pipeline as a runtime variable, for example as part of a matrix strategy like this:

  - job: update
    strategy:
      matrix:
        dev:
          poolName: 'DEV'
        stg:
          poolName: 'STAGING'
      maxParallel: 2
    pool: $(pool)

It fails, with the authorization error:

##[error]Pipeline does not have permissions to use the referenced pool(s) AWS_STG_02_RELEASE. 
For authorization details, refer to https://aka.ms/yamlauthz.

But there's no prompt to authorize.

jessehouwing
  • 106,458
  • 22
  • 256
  • 341
Eduard Dubilyer
  • 991
  • 2
  • 10
  • 21
  • 1
    Please add any error messages as plain text to your answers. It makes it much easier for other people with similar issues to find your question and our answers. – jessehouwing Mar 23 '23 at 15:05

2 Answers2

1

In Azure DevOps Services

For dynamically assigned pools you'll need to grant the pipeline access to the pool from the pool's configuration instead:

enter image description here

  • Navigate to the Project settings
  • Expand the Agent Pools blade
  • Select the Agent pool you want to authorize
  • On the Security tab add the pipeline with the   +   button

From the docs referenced in the URL that's mentioned in the logs:

Go to the administration experience of the resource. For example, variable groups and secure files are managed in the Library page under Pipelines. Agent pools and service connections are managed in Project settings. Here you can authorize all pipelines to access that resource. This authorization is convenient if you don't have a need to restrict access to a resource - for example, test resources.

In Azure DevOps Server

Unfortunately, this feature hasn't made it into Azure DevOps Server yet (last version checked: 2022.0). I do suspect the REST API exists under the hood.

You could try approving the pipeline by updating the agent pool permissions:

$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
Invoke-WebRequest -UseBasicParsing -Uri "https://dev.azure.com/jessehouwing/6484ebc3-af16-4af9-aa66-6b3398db7214/_apis/pipelines/pipelinePermissions/queue/24" `
  -Method "PATCH" `
  -WebSession $session `
  -Headers @{
    "method"="PATCH"
    "accept"="application/json;api-version=5.1-preview.1;excludeUrls=true;enumsAsNumbers=true;msDateFormat=true;noArrayWrap=true"
    "x-vss-reauthenticationaction"="Suppress"
  } `
  -ContentType "application/json" `
  -Body "{`"resource`":{},`"pipelines`":[{`"authorized`":true,`"authorizedBy`":null,`"authorizedOn`":null,`"id`":73}]}"

The id being passed in is the id of the pipeline definition.

jessehouwing
  • 106,458
  • 22
  • 256
  • 341
  • Hm. I have no 'Pipeline permissions' in security tab. We're running azure devops server on-prem, so maybe it's delivered with a newer version or available on SAAS only. Anyway thanks, it will be useful for others :) – Eduard Dubilyer Mar 23 '23 at 15:10
  • Do you have the right Agent Pool Permissions? I'm a Pool Administrator. It might be that you as a user or reader can't access this. And it could indeed also have been added in a later version that you're using. Be sure to add the `azure-devops-server-2019` tag for your exact server version. – jessehouwing Mar 23 '23 at 15:16
  • 1
    I have Azure DevOps Server 2022 RC1. Not enough reputation to create tags, @jessehouwing, appreciate if you can help with it – Eduard Dubilyer Mar 23 '23 at 15:31
  • Checked, I'm a pool admin and have only `Grant access permission to all pipelines` in the security tab. – Eduard Dubilyer Mar 23 '23 at 15:41
0

Not a solution, but workaround. I changed a pool to a hardcoded value once. Reran the pipeline and granted the requested authorization. After doing it pipeline is already authorized to use the pool and can work with the agent pool set in runtime.

Eduard Dubilyer
  • 991
  • 2
  • 10
  • 21