Can't Authorize YAML Build Task to Use Service Connection

[hasanayan]

When I try to build my source using the yaml below;

pool:
  vmImage: 'Ubuntu 16.04'

variables:
  imageName: 'xxxredactedxxx'
  projectfolder: 'xxxredactedxxx'

steps:
- script: docker build -f $(projectfolder)/Dockerfile -t $(imageName):$(build.buildId) -t $(imageName):latest .
  displayName: 'docker build'

- task: AmazonWebServices.aws-vsts-tools.ECRPushImage.ECRPushImage@1
  displayName: 'Push Image: '
  inputs:
    awsCredentials: 'AWS'
    regionName: 'eu-west-1'
    sourceImageName: '$(imageName)'
    repositoryName: '$(imageName)'
    autoCreateRepository: true

I get the following error;

Job phase1: Step input awsCredentials references service connection AWS which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz

I confirm I have a service connection named AWS.

I tried reading the link in the error message. However, the article doesn't show any directions on how to authorize the build to use the service conneciton.

[hasanayan]

I tried to create a new YAML build definition using the web application and the same YAMLI used above. This time it worked.

Does this mean any time I need a new sevice connection in my YAML script, I need to create a new build definition?

[SachaLhopital]

I @hasanayan,

I faced a similar issue with an YAML script for ARM template deployment.
The only way to solve it was to recreate the pipeline from scratch with the old web interface.

I was not able to create the right Service Connection otherwise (with the new YAML pipeline).

Therefore, is it a real bug or did we miss some configuration here ?

[hasanayan]

I think I should clarify what I wrote on my previous message.

If you are creating a completely new build definition using the new interface, on the last step (4th) it will show the editor for the yaml file. If you include access to your service here and save your build definition, vsts will scan your yaml file and authorize the service connection you just referred to. Everything will work.

However, if your yaml file didn't utilize a service connection initially and you would like to include it in your build definition later on by doing a commit, vsts will not scan the yaml file again to discover and authorize the service connection uses. I think this is not an expected behaviour.

I believe whenever a build definition yaml file is updated, it should be scanned for the service connection usages and authorized for the use of it.

But then, this makes me question, why is there a build definition authorization at all? Maybe the build definitions in a project should be allowed to consume the service connections in the same.

[sugarjig]

We also ran into this issue when deploying ARM templates. When attempting it from an azure-pipelines.yml file, we get the following error:

Job phase1: Step input azureSubscription references service connection **** which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz

Just like @SachaLhopital, we noticed that it works when building from the web GUI. But we also noticed that it works when running a build from a .vsts-ci.yml file, as described at https://github.com/Microsoft/azure-pipelines-agent/blob/master/docs/preview/yamlgettingstarted-definition.md.

[SachaLhopital]

@sugarjig : I believe this is pure Service Connection Authorization problem, just like @hasanayan explain it in the previous post :

[...] If you include access to your service here and save your build definition, vsts will scan your yaml file end authorize the service connection you just referred to. Everything will work.

However, if your yaml file didn't utilize a service connection initially and you would like to include it in your build definition later on by doing a commit, vsts will not scan the yaml file again to discover and authorize the service connection uses.

Just like you said, I hope this is NOT a normal behavior !

[sebastianhaas]

But then, this makes me question, why is there a build definition authorization at all? Maybe the build definitions in a project should be allowed to consume the service connections in the same.

Word. But then again, that would be easy and fun to use.

[gatkin]

I had this same issue. I followed the instructions from the old documentation which fixed my issue. Basically, you need to go through the web UI to get it to reload the build definition and authorize the connection.

[rhummelmose]

How about we just get this fixed so we don't have to jump through hoops :)

[ericsciple]

@hasanayan the trick is, if you make a trivial edit to the definition in the web (e.g. add a variable) then save your build definition, vsts will scan your yaml file and authorize the service connection you just referred to.

@rhummelmose we completely agree. This is too much friction.

The next step is, we are working on a resource authorization experience on the definition editor page. From that page, you should be able to see what resources are authorized (service connections, queues, secure files), and authorize additional resources. I believe this will be landing in the next 1-2 sprints. We work in 3-week sprints.

I agree that in a project you should have an easy way to consume any service connection. This makes the most sense for small team scenarios. Larger organizations may want more control; we have thoughts about additional features to control policy. Solving these problems is on our backlog.

[TingluoHuang]

We have created a new repository for all YAML related issues, please move the current issue to there.
https://github.com/Microsoft/azure-pipelines-yaml

[brent-robinson]

Adding a variable to the build definition solved this for me (thanks @ericsciple). Following the documentation did not work.

I did observe that renaming my YAML file to .vsts-ci.yml created a build definition automatically (as documented here) which was authorised. However, when I created a pull request with build validation, it failed to start the build with an authorisation error. Oddly, I've switched the build validation back to the build that started working after adding a variable, and now the PR build validation succeeds.

[CesarRN]

Hello,

I have the same problem:

Job Job1: Step input certSecureFile references secure file "xxx.p12" which could not be found. The secure file does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz

I don't know where is the problem. I reviewed the configuration and all is ok.

How can I do?

Thanks.

[ericsciple]

@vijayma ?

[vijayma]

@CesarRN Since you are using a new resource in your YAML file, you need to have the pipeline re-scan that YAML file and authorize any new resources. Have you followed the instructions in https://aka.ms/yamlauthz and did that help?

We are still working through the details on how to simplify this without going through these additional steps.

[CesarRN]

Hello @vijayma
I read the instructions from https://aka.ms/yamlauthz
I only have one branch, master.
I change some parameters from my pipeline to refresh the configuration and to save it.

I'm sorry, but I can solve the problem.

Thanks

[TingluoHuang]

move to microsoft/azure-pipelines-yaml#31

[CesarRN]

I read the TingluoHuang issue but I think is different.

Can someone help me with my configuration? Any ideas?

Thanks.

[TingluoHuang]

@CesarRN try change some variable value in your pipeline definition in the UI and save, like change system.debug=true

[CesarRN]

Hello @vijayma
I read the instructions from https://aka.ms/yamlauthz
I only have one branch, master.
I change some parameters from my pipeline to refresh the configuration and to save it.

I'm sorry, but I can solve the problem.

Thanks

Hello @TingluoHuang
Yesterday, I tried this "work around", but didn't work :(

Thanks

[ericsciple]

@CesarRN the issue moved to a different repo, here: microsoft/azure-pipelines-yaml#31

[walterfranssen]

just go to the pipeline en press edit in the right order and save.