Oh boy, did I waste time on this one :(. So I had my pipeline pretty naively doing an upload to blob storage:
- task: [email protected]displayName: Upload Vsixinputs:SourcePath: '$(Pipeline.Workspace)\vsix\RoslynDeployment.$(Build.BuildId).vsix'azureSubscription: 'roslyn-Azure'Destination: 'AzureBlob'storage: 'roslyn'ContainerName: 'vsix'BlobPrefix: '$(Build.SourceBranchName)/RoslynDeployment.$(Build.BuildId).vsix'
I used a service principal managed by DevOps which is the recommended approach. The blob storage account was under the same subscription, where the automatically created app properly showed up in IAM:
as a contributor:
I kept getting a 403 response when the task run, with the message
This request is not authorized to perform this operation using this permission.
Turns out being a Contributor is not enough. I tried changing guest user permissions, but in the end the only thing that worked was manually adding the Storage Blob Data Contributor role, which I found mentioned in a blog post.
In the process I learned how DevOps creates the app registration and what-not, but still, not fun.