One of the benefits of the Azure DevOps pipeline is it’s direct connection to Azure. This helps with quick deployment and management of an Azure subscription through the Azure DevOps pipeline. If your Azure subscription is in the same tenant as your Azure DevOps account, you can create an Azure DevOps Service connection to Azure in no time, as long as your account has the correct permissions. You just sign in at the service connection page and you’re done. But another option you have is to create a connection manually. This gives more flexibility. In this post, I will show a script that can help you create a Azure DevOps service connection to Azure with PowerShell.
I have written a post about this previously. It shows the step-by-step process to set up the manually connection. If you are new to that process, I recommend to look into that post first, as it helps to learn the process. But I found myself getting lazy and constantly using the same (test) projects as I couldn’t be bothered to create a new connection. So I decided to automate the whole thing.
But why?
There are a few use cases for manually creating a service connection:
- You want to manage the permissions for the service connection.
This is something you should consider, as the service connection is available for everyone in the project with permissions to run pipelines, without extra verification. This means that if you have a service connection that has contributor rights to the subscription (the default setting), you give users in the project the same access! - You want to deploy resources to a different Azure tenant.
Azure DevOps is connected to an Azure AD Tenant. You will be able to create a connection to every subscription you can access based on your account in that tenant. If you want to access a subscription outside of that scope, you will need to create the connection manually.
What does the script do?
The process of creating a manual connection will be completely automated by using the script. It takes care of the Service principal in Azure. After that a service connection will be created in an Azure DevOps project. You are then able to use the connection to connect to Azure from a pipeline, for example to deploy ARM templates or for Azure PowerShell. I have written about some pipeline options in this post.
To know a little bit more about the Azure DevOps REST API that is used, you could read this post.
Prerequisites
To use this script, there are a few things you need to take care of:
- A PAT token in Azure DevOps. You can find how you can create one here. Take note of the permissions you need, because the PAT token doesn’t need full access. You want to select Service Connections: Read, query and manage.
You can find that option by clicking show all scopes at the bottom.
- A connection with Azure. The script makes use of the Az PowerShell module. You need to sign in to Azure with an account that has owner permissions to the specified subscription. The reason for that is that the owner for the scoped Azure resource group or subscription. It also needs permissions to create a service principal.
Get the script
There are two ways for you to get the script.
Install from the PowerShell Gallery
I have added the script as a module to the PowerShell gallery for easy access. To download it, use the following commands
Install-Module -Name NewAzDoServiceConnection
Import-Module -Name NewAzDoServiceConnection
Download from GitHub
If you can’t or don’t want to install a module, you can collect the script from the GitHub repository.
To do this, you can clone it, fork it or download it as a zip.
You can find the repo here
Use the script
To use the script, you need to define quite some parameters. I will quickly walk through them:
AzServicePrincipalName
The name the Service Principal in Azure. The script creates this principal. This name has to be unique in your tenant.
AzSubscriptionName
The name of the subscription that the service connection will connect to.
If no Azresourcegroupscope is added, the service principal will get permissions to this subscription.
AzResourceGroupScope
You can optionally define a resource group that the service principal will get permissions for. This way the connection will not get permissions to the complete subscription.
AzRole
The AzRoleDefinition that the Service principal will use, like contributor or owner. If not defined, this will default to Contributor.
AzDoOrganizationName
The organization name in Azure DevOps, so the part that comes directly after https://dev.azure.com/
AzDoProjectName
The project name in Azure DevOps
AzDoConnectionName
The name you choose for your Azure DevOps Connection. This will be how you call the connection in a pipeline.
If left empty, it defaults to the name of the subscription without spaces.
AzDoUserName
The username to use to connect to Azure DevOps
AzDoToken
The PAT token to use to connect to Azure DevOps
Run the cmdlet
So with that information, the complete cmdlet would look like something like this:
Note: This cmdlet can take some time to run, depending on your connections and if you have already imported the AZ module. If you want to be kept up to date on the progress, use the -verbose parameter.
This will create the following:
- In Azure: a service principal called example with owner permissions to the resourcegroup RG01
- In Azure DevOps: a connection in the Azure DevOps organization AzDoCompany for project AzureDeployment.
Conclusion
So this is how you can setup a Azure DevOps service connection to Azure with PowerShell. I hope this works well for you. If you have any issues, let me know in the comments or in the GitHub issues.
