Cannot authorize variable group in Azure Pipelines

6
votes

I am constructing a multi-stage Azure Pipeline in Azure DevOps to build and release my product.

I want to use variable groups in this pipeline, so that I can substitute different configuration values for different deployment environments.

I am unable to authorize my variable groups to be used by the pipeline. When I manually run a build, I see a message on the summary page telling me the variable group is not authorized: Error message

The Azure DevOps documentation says this is to be expected:

When you make changes to the YAML file and add additional resources (assuming that these not authorized for use in all pipelines as explained above), then the build fails with a resource authorization error that is similar to the following: Could not find a {RESOURCE} with name {NAME}. The {RESOURCE} does not exist or has not been authorized for use.

In this case, on the Summary page, you will see an option to authorize the resources on the failed build. If you are a member of the User role for the resource, you can select this option. Once the resources are authorized, you can start a new build.

I am a member of the User role for the variable group, and I am seeing the message, but I am presented with no option to authorize. Is there something else I need to do? Or is there another way I can authorize a specific pipeline to use a variable group?

3
azureazure-devopsazure-pipelines
Do you create variable group manually or link Azure key vault?Anna
I created the variable group manually.Peter
Sorry if it's too obvious question, but do you have "Allow access to all pipelines" set to true for your variable group?Anna
No, fair question. I've consciously set that to "False" because there are sensitive variables in these groups and I want to minimise entities with access to them. If I set it to "True" then the pipeline can access the variables.Peter
Hi,Peter Is the situation I am referring to is the cause of your issue? If you have any question ,please kindly let me know :)Hugh Lin

3 Answers

7
votes

Variable groups can only be accessed if they are imported at the "job" level.

Solution:

I have tested and tried to reproduce your issue. In order to solve it, you need to add the variable group under "job".

Explanation / Analysis:

This is how to reproduce and solve the issue:

First, I have tested with the below yaml script, by adding the variable group to the stage (literally at the same level as jobs):

stages:
- stage: build
  variables:
    - group: 789
  jobs:
  - job: run_build
    pool:
      vmImage: 'Ubuntu 16.04'
    steps:
    - script: echo Build

With this configuration, I was not able to use the variable group. I got the same issue as you:

enter image description here

I then moved the variable group into the job section of the yaml file:

stages:
- stage: build
  jobs:
  - job: run_build
    pool:
      vmImage: 'Ubuntu 16.04'
    steps:
    - script: echo Build
    variables:
    - group: 789

With the modified configuration, I was able to see and use the Authorize resources option in the error message:

enter image description here

3
votes

The provided solution proposed by @hey didn't work for me because i had to use deployment jobs. I've found a hacky way to resolve this error:

  1. Go to your pipeline
  2. Edit
  3. Click on the tree dots > Triggers
  4. Navigate to the variables tab
  5. Variable groups
  6. Add variable groups
1
votes

I had this issue as well, but it was because when I created a variable group under Pipelines > Library, the name in Azure Portal did not match the name in my yml file.