Kzu's Today I Learned
GitHubX/TwitterBlog
  • Today I Learned
  • dotnet
    • How to emit descriptions for exported JSON schema using JsonSchemaExporter
    • NuGet
      • Suppress dependencies when packing
      • Hide contentFiles from your nuget packages
      • Packaging transitive analyzers with NuGet
      • How to add search to static nuget feed
      • Populate RepositoryBranch in CI for NuGet Pack
    • Ignore folder from dotnet-format
    • Accessing Tor .onion URLs via HttpClient with .NET6
    • Installing .NET 5.0 on Raspberry Pi 4
    • Quickly check C# compiler and language version
    • Disable diagnostic analyzers for entire folder/submodules
    • Persisting output files from source generators
    • Use C# 9 records in non-net5.0 projects
    • AsyncLocal never leaks and is safe for CallContext-like state
    • Using HashCode in .NETFramework
    • How to locate dotnet
  • testing
    • Conditional unit tests
    • Skip tagged scenarios in SpecFlow with Xunit
  • msbuild
    • How to get user home dir ~ cross-platform
    • Modifying the build for every solution in a repository
    • Detect CI builds for every CI system
    • Modify all command-line builds in entire repo
    • Write entire XML fragments in MSBuild with XmlPoke
    • How to select first item in an ItemGroup
    • How to include commit URL in nuget package description
    • How to include package reference files in your nuget
    • How to build project when content files change
  • azure
    • How to launch multiple Azure Functions apps on different ports
    • C# script function apps beyond Azure portal
    • Publishing function app from GitHub folder
    • Exploring Azure Data with Kusto and Dashboards
    • Shared secret authorization with Azure SignalR Service
    • Using Azure File Copy from DevOps yaml pipeline
    • Code-less redirection with serverless Azure Functions
  • DevOps/CI/CD
    • How to run Azure Storage unit tests in CI
    • How to skip steps or jobs in GitHub Actions for PRs from forks
    • Update version and publish npm from GH
    • Push to protected branch from GitHub actions
Powered by GitBook
On this page
  1. azure

Using Azure File Copy from DevOps yaml pipeline

I learned that it's not enough to authorize Azure Resource Manager access from DevOps

PreviousShared secret authorization with Azure SignalR ServiceNextCode-less redirection with serverless Azure Functions

Last updated 3 years ago

Oh boy, did I waste time on this one :(. So I had my pipeline pretty naively doing an upload to blob storage:

- task: AzureFileCopy@4
  displayName: Upload Vsix
  inputs:
    SourcePath: '$(Pipeline.Workspace)\vsix\RoslynDeployment.$(Build.BuildId).vsix'
    azureSubscription: 'roslyn-Azure'
    Destination: 'AzureBlob'
    storage: 'roslyn'
    ContainerName: 'vsix'
    BlobPrefix: '$(Build.SourceBranchName)/RoslynDeployment.$(Build.BuildId).vsix'

I used a service principal . The blob storage account was under the same subscription, where the automatically created app properly showed up in IAM:

as a contributor:

I kept getting a 403 response when the task run, with the message This request is not authorized to perform this operation using this permission.

In the process I learned how DevOps creates the app registration and what-not, but still, not fun.

Turns out being a Contributor is not enough. I tried , but in the end the only thing that worked was manually adding the , which I found mentioned in a.

for the so this is more easily discoverable.

changing guest user permissions
Storage Blob Data Contributor role
blog post
Submitted a doc fix
AzureFileCopy task docs
managed by DevOps which is the recommended approach
Access control (IAM) pane for storage account
DevOps-managed app as contributor to the storage account