Azure DevOps pipeline cannot copy to Azure storage

1
votes

I've got a pipeline that builds web artefacts and attempts to copy them to my Azure Storage using the Azure File Copy task provided in the Azure Pipelines. I've been trying for the last 2 days to fix this 403 response, stating there is a permissions error.

  • I have a service connection for this pipeline.
  • The service connection application registration has user_impersonation for Azure Storage in API Permissions
  • The service connection application registration has 'Storage Blob Data Contributor' & 'Storage Blob Data Owner' for the target Storage Account, the Resource Group and the Subscription.

enter image description here

enter image description here

enter image description here

enter image description here

1
azureazure-devopsazure-active-directoryazure-pipelines
Does the storage account have a firewall enabled?rickvdbosch
@rickvdbosch just checked it uses IP range whitelistingrnmalone
stackoverflow.com/questions/57995116/…Sajeetharan

1 Answers

3
votes

Since the storage account uses a Firewall and has IP range whitelisting enabled according to your comment, you should add the agent's IP address to the whitelist.

  • If you're running your own build agent, it's pretty straightforward.
  • If you use Microsoft-hosted agent to run your jobs and you need the information about what IP addresses are used, see Microsoft-hosted agents Agent IP ranges.

In some setups, you may need to know the range of IP addresses where agents are deployed. For instance, if you need to grant the hosted agents access through a firewall, you may wish to restrict that access by IP address. Because Azure DevOps uses the Azure global network, IP ranges vary over time. We publish a weekly JSON file listing IP ranges for Azure datacenters, broken out by region. This file is published every Wednesday with new planned IP ranges. The new IP ranges become effective the following Monday. We recommend that you check back frequently to ensure you keep an up-to-date list.

Since there is no API in the Azure Management Libraries for .NET to list the regions for a geography, you must list them manually.

EDIT:
There's a closed (! - but still active) GitHub issue here: AzureDevops don't considerate as 'Microsoft Services'

EDIT 2:

Your hosted agents run in the same Azure geography as your organization. Each geography contains one or more regions. While your agent may run in the same region as your organization, it is not guaranteed to do so. To obtain the complete list of possible IP ranges for your agent, you must use the IP ranges from all of the regions that are contained in your geography. For example, if your organization is located in the United States geography, you must use the IP ranges for all of the regions in that geography.

To determine your geography, navigate to https://dev.azure.com/<your_organization>/_settings/organizationOverview, get your region, and find the associated geography from the Azure geography table. Once you have identified your geography, use the IP ranges from the weekly file for all regions in that geography.