Failed to fetch the list of virtual machines from resource group

0
votes

In my Azure DevOps release pipeline, I would like to start a VM. So I have an "Azure resource group deployment" task with the action "Start virtual machines". However, when I run this task, I get the error:

"Failed to fetch the list of virtual machines from resource group: ... Error: "Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request"

In my VM I already enabled system-assigned managed identity, so I don't know why this error is appearing. Any thoughts?

1
azureazure-devopsazure-pipelines

1 Answers

0
votes

You will also need a service connection in Azure DevOps to connect to your Azure subscription using the MSI.

You can configure Azure Virtual Machines (VM)-based agents with an Azure Managed Service Identity in Azure Active Directory (Azure AD). This lets you use the system assigned identity (Service Principal) to grant the Azure VM-based agents access to any Azure resource that supports Azure AD, such as Key Vault, instead of persisting credentials in Azure DevOps for the connection.

  1. In Azure DevOps, open the Service connections page from the project settings page. In TFS, open the Services page from the "settings" icon in the top menu bar.

  2. Choose + New service connection and select Azure Resource Manager. enter image description here

  3. Choosing a service connection type enter image description here

  4. Select the Managed Identity Authentication option.

  5. Opening the managed service identity settings

  6. Enter a user-friendly Connection name to use when referring to this service connection.

  7. Select the Environment name (such as Azure Cloud, Azure Stack, or an Azure Government Cloud).

  8. Enter the values for your subscription into these fields of the connection dialog:

    • Subscription ID
    • Subscription name
    • Tenant ID

  9. After the new service connection is created:

    • If you are using it in the UI, select the connection name you assigned in the Azure subscription setting of your pipeline.
    • If you are using it in YAML, copy the connection name into your code as the azureSubscription value.
  10. Ensure that the VM (agent) has the appropriate permissions. For example, if your code needs to call Azure Resource Manager, assign the VM the appropriate role using Role-Based Access Control (RBAC) in Azure AD. For more details, see How can I use managed identities for Azure resources? and Use Role-Based Access Control to manage access to your Azure subscription resources.

https://docs.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-to-a-vm-with-a-managed-service-identity