Connecting to Azure Devops with a Service Principal

on Regards: Azure; Infrastructure;

Connect Azure Devops with Azure

To connect Azure Devops with Azure one can use a service principal. The benefit using a service principal is that you can control the exposed Resources which can be accessed from the azure devops pipelines. In order to do that we need to create an “App Registration” in Azure. The created app gets than access to our Azure Subscriptions. For setting up the service connection in Azure Devops its recommended to use the certificate authentication approach. For this the Azure Key Vault can be used.

Lets start by creating the Azure App Registration.

  1. Open Azure Portal
  2. Navigate to Azure Active Directory
  3. Click App registration
  4. Click New Registration
  5. Name: For example AzureDevOpsKeyVaultServiceConnection
  6. Supported account types: Accounts in this organizational directory only (Single Tenant)
  7. Redirect URI: (Leave blank)
  8. Click Register
  9. Switch to the overview of the created app / service principal and obtain the values
(Fig 1. service principal)

The next step is to assign the created service principal to give access to the azure subscription

  1. Navigate to Subscriptions and select your subscription
  2. Click Access control (IAM)
  3. Click Add -> Add role assignment
  4. Role: Contributor but not mandatory
  5. Assign access to: Azure AD user, group, or service principal
  6. Select Members: Enter the name of the create app/service principal
  7. Click Save
(Fig 2. azure subscription)
(Fig 3. azure subscription role assignment)

Create the certificate for the service principal using Azure Key Vault.

  1. Navigate to your Azure Key vault (If you don’t have you need to create one)
  2. Certificates
  3. Click Generate/Import
  4. Name: For example AzureDevOpsKeyVaultConnectionCertificate
  5. Validity Period (in months): Enter an appropriate amount of months
  6. Subject: For example CN={yourorganisation}/
  7. Switch Content Type to PEM
  8. Click Create
  9. Click Download in PFX/PEM format two times
  10. Switch to your service principal / registered app and open Certificates & secrets and select certificates
  11. Open the downloaded .pem file and open it with notepad. Remove the content of the private key and upload the public key

If Azure Key Vault should be used in Azure Devops make sure that under Access policies the permission model Vault access policy is enabled. Select Add Policy and add the app with the selected roles Get, List, Decrypt and Sign.

Create the Service Connection

  1. Open Azure DevOps and open your organization
  2. Select at the bottom Project settings
  3. Select Service Connection
  4. Select New Service Connection and Azure Resource Manager. At the bottom of the dialog press next
  5. Select Service Principal (manual)
  6. Set Enviroment Azure Cloud, Scope Level Subscription.
  7. Enter the Subscription id and name from your subscription (see Fig 2. azure subscription)
  8. Select Credentials to certificates and paste the content of the downloaded .pem file with the public and private key
  9. Enter the Principal id and the tenant id from the registered app (Fig 1. service principal)
  10. Click on the button Verifiy to check if everything is fine.
  11. Enter a proper service Connection name and create the service connection.
(Fig 4. azure subscription role assignment)

Your now ready to use the service connection to access azure. Try for example the following in your *.yml pipeline:

- task: AzureCLI@2
    azureSubscription: 'the name of your service connection'
    scriptType: 'ps'
    scriptLocation: 'inlineScript'
    inlineScript: 'az group list'

You can use the role based access control to set up which resources the service principal is allowed to access.