I tried to create a release definition. How hard can it be? But then I suddenly found myself in the maze of DevOps security. Further complicated by the fact that I had no admin rights in Azure AD or DevOps, which in fact made me blind to find a solution.
What exactly was the problem? I tried to add an Azure Resource Deployment step to my release pipeline. When doing so, you have to specify a subscription. After choosing the subscription, I have to press [Authorize]. This gives me an error saying that I’m not authorized.
The solution to this problem is to create an Azure Resource Manager service connection. Steps:
- Go to [client]/visualstudio.com.
- Open your Team Project.
- Go to Project Settings.
- Select service connections. Add a service connection of type Azure Resource Manager. Name the service connection [subscription]-ota-spa. The acronym SPA stands for service principal application.
- Enter subscription=[subscription]-ota and resourcegroup=[resourcegroup]-test.
Background information can be found at docs.microsoft.com. The service principal will be assigned to the Contributor role and will give API Management access to the selected Azure subscription and resource group. Effectively this means, you can add resources via the release pipeline.
One final designation. In order to be able to select the service principal in the Azure Resource Deployment step you as a user (say: email@example.com) must be assigned to the following DevOps roles: Release Administrators and Project Administrators.