Grant permission to pipeline to use a service connection

0
votes

In my project, I want to create a few AzureRM service connections with different levels of access. I want to allow only certain pipelines to use the service connections. And I am aiming to use API or az devops extension to do this. Portal already allows to choose which pipelines are allowed to use the service connection through service connection security settings.

So far I was able to find the relevant permission in the ServiceEndpoints namespace

Name Permission Description Permission Bit

Use Use Service Connection 1

However, I do not know how to grant the permission to the pipeline. I think i should use 'az devops security permission update' from the extension however can not figure what the subject should be in case of a pipeline. Looking at the output of 'az pipelines build definition show' i do not see any unique identifier for a pipeline and documentation for security permission update says subject should be a user of group.

If i want to use the API, i will need to know how to create the descriptor to pass to Set Access Control Lists.

Any hint is appreciated.

1
azure-devopsazure-pipelinesserviceconnection
Any update for this issue? Have you resolved this issue? If not, would you please let me know the latest information about this issue? If yes, you you could Accept it as an Answer , so it could help other community members who get the same issues and we could archive this thread, thanks.Leo Liu-MSFT

1 Answers

0
votes

Grant permission to pipeline to use a service connection

According to the document az devops security permission, we could use az devops security permission update to update the azure devops security permission:

az devops security permission update --id
                                     --subject
                                     --token
                                     [--allow-bit]
                                     [--deny-bit]
                                     [--detect {false, true}]
                                     [--merge {false, true}]
                                     [--org]

however can not figure what the subject should be in case of a pipeline.

As the statement for the Parameters, we could to know:

--subject

   User Email ID or Group descriptor.

So, if we update the permission to given user, we just need provide the User Email in above command. If we want to update the permission to given group, we need to provide the Group descriptor.

To get the Group descriptor, we could use the az devops security group list.

You could check this thread for some details.