无法使用Service Principal从发布管道访问Azure Devops Git存储库 [英] Cannot access Azure Devops Git repo from release pipeline using Service Principal
问题描述
我们正在为Azure资源创建Terraform模块;我们已经在项目中为其提供了各自的存储库,但是当尝试在发布管道中调用该模块时,会出现超时或错误128.
We're creating Terraform modules for Azure resources; we've given each it's own repo within a project, but when trying to call the module in the release pipeline, we get a time out, or an error 128.
这可以作为具有部署权限的用户在管道外运行,但是我们正在使用服务主体在发布管道内进行部署,该发布管道也具有正确的权限;看起来问题在于服务主体在Azure DevOps中没有权限.
This works outside the pipeline as a user with rights to deploy, however we're using a service principal to deploy within the release pipeline, which also has the correct rights; It looks like the issue is that Service Principals have no rights in Azure DevOps.
我们最初在托管的构建代理上进行过尝试,但是如果我们需要存储任何永久性信息,则刚刚部署了自己的私有代理.
We've tried initially on a hosted build agent, but have just deployed our own private agent should we need to store any permanent information.
模块"rg" { 来源="git :: https://dev.azure.com/ *****/Terraform /_git/azmodresourcegroup//module?ref=v1.0 }
module "rg" { source = "git::https://dev.azure.com/*****/Terraform/_git/azmodresourcegroup//module?ref=v1.0" }
这看起来像是一个供股问题,但是有人可以为我指出解决方法吗?
it looks like a rights issue, but can anyone point me at a workaround for this?
错误是: C:\ Program Files \ Git \ bin \ git.exe以128退出:克隆到'.terraform \ modules \
The error is either : C:\Program Files\Git\bin\git.exe exited with 128: Cloning into '.terraform\modules\
或长时间(30分钟)超时.
or a lengthy (30 mins) timeout.
推荐答案
对于面临此问题的任何其他人,我们要解决的唯一方法是使用用户帐户中的PAT. Service Principal仍用于构建,但是从拥有对Project权限的用户帐户添加PAT可以解决此问题,然后我们仅使用令牌替换来确保PAT不会最终出现在代码中.
For anyone else facing this, the only way we could fix it was to use PAT from a user account; the Service Principal is still used for the build but adding a PAT from a user account with rights over the Project got around the issue, then we just used token replacement to ensure the PAT didn't end up in code.
这篇关于无法使用Service Principal从发布管道访问Azure Devops Git存储库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!