如何在Azure Devops中为Azure创建服务连接(附图) [英] How to create a service connection for Azure in Azure Devops (with pictures)
问题描述
Azure Devops中的这种服务连接"问题非常令人困惑.我想创建一个服务连接,以便能够连接到Azure并进行诸如通过管道部署到我的App Service之类的事情.
This "service connection" thing in Azure Devops is quite confusing. I want to create a service connection to be able to connect to Azure and do things like deploy to my App Service through a pipeline.
问题是,我的订阅未在下拉菜单中列出,而且我得到了无用的错误,例如无法获取Json Web令牌(JWT)"或无法查询服务连接API ... AuthorizationFailed" .创建服务连接需要采取哪些步骤?
The problem is, my subscription isn't listed in the drop down menu, plus I get unhelpful errors like "Failed to obtain the Json Web Token(JWT)" or "Failed to query service connection API ... AuthorizationFailed". What are the steps I need to take in order to create a service connection?
推荐答案
一年前当我刚接触Azure DevOps时,这确实让我感到困惑,因为这方面缺少好的文档.这些说明基于 Roshan Jeewantha ,但已针对新版UI进行了更新.
This was really confusing to me a year ago when I was new to Azure DevOps, because there is a lack of good documentation on this. The instructions are based off of an article by Roshan Jeewantha but updated for the newer UI.
资源管理器连接的正式文档为在这里,但这尤其令人困惑,特别是对于Azure新手而言.
The official documentation for resource manager connections is here but it's quite confusing especially for someone new to Azure.
尽管可以在Azure CLI上完成应用程序注册部分,但是入门门户gui对于初学者来说更容易.
Although the app registration part can be done on Azure CLI, the portal gui is easier for beginners.
- Azure订阅
- 应用服务或其他用于为其创建服务连接的资源
您首先需要做的是创建应用程序注册.应用注册是您的管道将用于部署的基于角色的身份.
What you will need to do first is create app registration. An app registration is the role-based identity that your pipeline will use for deployment.
在Azure门户中,转到Azure Active Directory |应用程序注册(在边栏中)|新注册.
In Azure portal, go to Azure Active Directory | App registrations (in sidebar) | New registration.
为应用注册指定名称.不用担心其他设置;将其保留为默认值.注册.专家提示:使用项目名称(例如<project name>-appregistration)作为相关资源和实体的前缀,可以帮助您稍后快速找到它们.
Give a name for the app registration. Don't worry about the other settings; leave them default. Register it. Pro-tip: Prefixing related resources and entities with your project name (like <project name>-appregistration) will help you quickly find them later.
我们需要授予您的应用程序注册权限,以访问和部署到您的App Service或您希望部署到的任何资源.
We need to give your app registration permission to access and deploy to your App Service or whatever resource you wish to deploy to.
转到应用程序服务"页面|访问控制(IAM)| +添加|添加角色分配.填写字段:
Go to the App Service page | Access control (IAM) | + Add | Add role assignment. Fill out the fields:
Role: Contributor
Assign access to: Azure AD user, group, or service principal
Select: search for and select the app registration you just made
点击保存.您应该会看到该应用程序注册已添加为贡献者.
Click save. You should see the app registration get added as a Contributor.
我们还需要为您的订阅授予读取权限.我不知道为什么它需要对订阅具有读取权限,但是如果您不这样做,则连接将失败.
We also need to give read permissions for your subscription. I have no idea why it requires read access to subscriptions, but the connection fails if you don't do this.
类似于最后一步,请转到您的订阅(您用于应用程序服务的订阅)|访问控制(IAM)| +添加|添加角色分配.
Similar to the last step, go to your subscription (the one you are using for your app service) | Access control (IAM) | + Add | Add role assignment.
Role: Reader
Assign access to: Azure AD user, group, or service principal
Select: select the app registration, then save.
创建服务连接
转到Azure DevOps中的项目,然后在侧边栏中转到项目设置".服务联系|新服务连接.连接类型为Azure资源管理器.
Create service connection
Go to your project in Azure DevOps, then Project settings in the sidebar | Service connections | New service connection. Connection type is Azure Resource Manager.
这是我迷路的地方,因为此界面未列出我的订阅.但是,我相信,如果对您有用,它应该会自动为您获取正确的变量.如果它不起作用,请继续阅读.
Here is where I got lost before, because this interface doesn't list my subscription. But if it works for you, it should automatically get the correct variables for you, I believe. If it doesn't work, keep reading.
单击使用服务连接对话框的完整版本".这是填写此复杂表格的方法.
Click "use the full version of the service connection dialog". Here is how to fill out this complicated form.
Connection name: choose a name (may I suggest <project name>-serviceconnection)
Environment: AzureCloud
Scope level: Subscription
Subscription ID: Get this from your subscription resource (see screenshot)
Subscription name: Get this from your subscription resource
Service principal client ID: App registration's Application (client) ID
Service principal key: In the app registration page, go to Certificates & Secrets.
Create a secret and copy the secret value. Expiration date of Never is fine.
Do not store this string; you can always create a new one.
Tenant ID: App registration's Directory (tenant) ID
Allow all pipelines to use this connection checkbox: Uncheck if this connection is for this project only,
check if this connection is for multiple projects.
点击验证连接".它应该以绿色显示已验证".如果连接失败,并且您确定已按照所有步骤操作,请等待10分钟,然后重试.添加角色后,有时需要花费很长的时间才能传播.验证后,可以单击确定".
Click "Verify connection". It should say "Verified" in green. If the connection failed and you are sure you followed all the steps, wait 10 minutes and try again. When roles are added, sometimes it takes a ridiculously long time to propagate. After it's verified, you can click OK.
使用服务连接,请在构建任务的正确字段中引用您之前提供的连接名称.当您首次尝试运行管道时,构建屏幕将显示一条消息,指出该连接未经授权.
The use the service connection, reference the connection name you gave it earlier, in the correct field of the build task. When you first try to run the pipeline, the build screen will show a message saying the connection isn't authorized.
只需单击授权资源"按钮.您可以在服务连接的安全性"页面中看到授权的管道.通过队列"按钮手动运行构建.
Just click the "Authorize resources" button. You can see authorized pipelines in the Security page of the service connection. Run the build manually via the Queue button.
现在,您可以在管道中使用服务连接. 此处是有关部署Node.js项目的教程.
Now you can use the service connection in your pipeline. Here a tutorial on deploying Node.js projects.
If you want to connect to GitHub, Docker, and other services in your pipeline, you can create service connections for those too. Just select the appropriate service connection type when you create it. That way you won't have to write your password into your build scripts.
这篇关于如何在Azure Devops中为Azure创建服务连接(附图)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
