Automating Azure Resource Group deployment using a Service Principal in Visual Studio Online: Build/Release Management

Automating Azure Resource Group deployment using a Service Principal in Visual Studio Online: Build/Release Management

Scenario: Setup a CI/CD of deploying Azure Resource Group App via Visual Studio Online Build/Release Management.

Azure Resource Group deployment in VSO Build/Release relies on ARM (Azure Resource Manager) APIs. ARM supports Resource Groups, Deployment templates and RBAC (Role Based Access Control).

Using Azure Resource Manager, you can grant access to a service principal and authenticate it, so it can perform the permitted management actions on resources that exist in the subscription or as a tenant.

You can find Azure deployment templates from Azure Gallery or GitHub quickstart-templates

This topic shows you how to setup an Azure service end-point in VSO using Service Principal

 

1: Create an Azure Active Directory application

     a. Login to your Azure account through the classic portal.

     b. Select Active Directory from the left pane.

     
  

     c. Select the directory that you want to use for creating the new application.

    
 

     d. To add a new application in your directory, click on Applications and click on Add

     

       
 

     e. Choose “Add an application that my organization is developing”.

    
      
 
     f. Select WEB APPLICATION AND/OR WEB API and click the next button.

      
        

      Though we intend to automate Azure Resource Group deployment from VSO, we will have to create a Web App and use its service principal to authenticate with Azure Resource Manager.

 

     g. Enter a recognizable URL as we will need it later for role assignment.

     
 
     The existence of the web-site is not validated. We are registering a web app name-space so that we can create a Service Principal identity for the application.

READ  Flush Away Old CSS, JS after SharePoint Deployment

 

     h. Congratulations, you now have an AAD Application. Click on the CONFIGURE tab:

    

 

2: Create your service principal password

     a. From CONFIGURE tab, find Client ID and copy it. This will be your Service Principal user name

    

     b. From the “keys” section, from the drop-down select 1 or 2 year duration

    

     After you hit save at the bottom, it will display your key, which is basically your Service Principal account password. Copy and store the key value. You won’t be able to retrieve it later.

     c. Retrieve Tenant ID for your Azure account. Click “View End-Points” on the bottom panel.

    

     Copy any of the URLs displayed in the pop-up dialog, The GUID in there is your tenant ID, which you’ll need later

     https://login.microsoftonline.com/72921e51-521b-439d-8412-XXXXXXXXXXXX/federationmetadata/2007-06/federationmetadata.xml

     Now we have Service Principal account username, password and tenant id.

      Client ID: a63e0985-XXXX-XXXX-XXXX-XXXXXXXXXXXX

      Key: JjLsHGuoQKnWTqv4/C8Abyg8dQ1eqjXXXXXXXXXXX=

      Tenant ID: 72921e51-521b-439d-8412-XXXXXXXXXXXX

 

3: Assign roles to your Service Principal

     You have now created a service principal in the directory, but the service does not have any permissions or scope assigned. You will need to explicitly grant the service principal permissions to perform operations at some scope.

     You will need to use http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/

     Log in as your Microsoft identity in order to grant roles to your Service Principal identity

   

<code class="cplusplus"> PS C:>Switch-AzureMode -Name AzureResourceManager<br /> PS C:>Add-AzureAccount # This will pop up a login dialog<br /> </code>

    

     Assign roles to your Service Principal. For now, giving it access to the whole subscription. You can limit the access by providing the scope parameter.

READ  Image Slideshow Using JQuery, CSS In MVC 5

     You can use either App ID Uri or Client ID as the value for the -ServicePrincipalName parameter.

<code class="js"> PS C:>New-AzureRoleAssignment -ServicePrincipalName <a href="http://RNWebAppforVSO">http://RNWebAppforVSO</a> -RoleDefinitionName Contributor</code>

      If you run Get-AzureRoleAssignment, you should see the assignment.

 

4: Setup Azure Service End-Point in VSO

     a. From your Visual Studio Account, navigate to your Team Project and click on gear icon

     

     b. Click Services tab and click on ‘New Service Endpoint’ in the left pane.

     

     c. From the drop-down, select ‘Azure’ option. Select Service Principal radio choice and enter the details

      

     We are now able to add the Service Principal account.

    

     d. From Build/Release hub, now you add “Resource Group Deployment Task” and use the subscription.

     

 

Resources:  


Developer Tools Blogs

Leave a Reply

Your email address will not be published.