Azure LinkedAuthorizationFailed on Active Directory Account / Key Vault Authentication when running DevOps Server Deployment Template

1
votes

I am trying to deploy an on-prem instance of Azure DevOps Server to a VM in an Azure Government subscription (which by nature, seems it does not support standard DevOps).

This template is referenced within support material directly from Microsoft:

https://github.com/usri/deploy_DevOps_Server_AzureSQL

All the referenced resources were created from scratch for the purpose of getting this server running.

This requires an AAD account with the associated password stored in a Key Vault. However, every attempt I make to run the template returns the following error on the 'Write VirtualMachines' step (when all other components pass):

The client has permission to perform action 'Microsoft.Compute/images/read' on scope '(MY_SUBSCRIPTION)\(MY_RESOURCEGROUP)\(VM)', however the current tenant '(MY_KEYVAULT)' is not authorized to access linked subscription '(ID in the template with the deployment files)'

This seems to me like the password cannot be retrieved from Key Vault- is it a formatting issue with the Secret? An access control issue somewhere? I've tried many various combinations of both. Hopefully this is just a trivial issue..

1
azureazure-devopsazure-active-directoryazure-keyvaultazure-gov
Are you able to achieve the deployment with same Azure Subscription locally?PatrickLu-MSFT
@PatrickLu-MSFT Unfortunately no, looking at the deploy script line 294, it seems that the key vault authentication is needed to access the image for the VM (the 093847b0 subscription is what's referenced in the error)Tyler L.
Hi Tyler, thanks for your kindly info. According to your info. I will suggest you file a ticket to Azure support team. Especially Azure Government is not a widespread scenario.PatrickLu-MSFT
@PatrickLu-MSFT that's what we had to end up doing, a technician is on the case. Like you said, Azure Gov (and especially this template's actions) seems to be somewhat niche.Tyler L.
If you finally get a solution for this. You could share the solution here and mark it. Which will also help others in the community in case they get stuck with same scenarios.PatrickLu-MSFT

1 Answers

3
votes

I am the original author of the code in that repo. I went ahead and merged a pull request into that repo which should address your issue. I did the following:

  • Updated the ReadMe file to include information on creating the image
  • Updated the azuredeploy.json with parameters for Key Vault & image references
  • Updated the ps1 file to eliminate hard links for KV (a particularly bad oversight on my part, my apologies).
  • Updated and tested everything for the latest version of Azure DevOps Server 2020

This should fix your issue and several other related ones. I retested the entire deployment from scratch and it worked as designed. A couple of other quick notes:

The USRI and all of it's repositories including the one being utilized here are not Microsoft official repositories. They represent an open-source Azure community dedicated to regulated entity customers. The members which contribute there are mostly Microsoft employees and the repos themselves just represent interesting and sometime niche templates that might be of interest.

This particular repo shows a manner in which Azure templates could be used to deploy services when no internet connection is available or permitted. I just used Azure DevOps Server because it was interesting and regulated industry customers use it.

All the best