Empowering Teammates to Dynamically Set Azure Subscriptions in Azure DevOps Pipelines

Copper Contributor

Hi,

I have a query regarding my Azure DevOps Pipeline. I am running a DevOps pipeline where I am running a PowerShell script that will generate an assessment report about my Azure subscription. In that report, we will get all the details about my subscription like what type of resources and how many resources are there.

So the script working fine and I am getting the desired result.

Now let's talk about what is the problem I am facing:-

  1. The DevOps pipeline I am running is using a self-hosted agent and I am using my laptop as a self-hosted agent.
  2. So I am triggering my Azure DevOps pipeline externally via Azure CLI using this command az pipelines run --name AssessmentTool_Report-CI --org https://dev.azure.com/DheemanDas --project test and it is successfully worked.
  3. Now this is currently logged in Subscription in my Azure CLI:-

Iaas Migrations-Staging Subscription.

My Script gives me the assessment report of this subscription because I have set this subscription in my Azure CLI using these commands:-

az login --tenant <your_tenant_id>

az account set --subscription <your_subscription_id>

  1. Now I have given access to my DevOps project to my teammate. So now she is running again these commands on her local machine.

az login --tenant <your_tenant_id>

az account set --subscription <your_subscription_id>

and set another tenant and another subscription in her Azure CLI. So right now in her machine, the currently logged subscription is Azure Stagging Subscription.

**
So, now my teammate running this command on her machine

az pipelines run --name AssessmentTool_Report-CI --org https://dev.azure.com/DheemanDas --project test

This command again triggers the Azure pipeline but after the pipeline execution is finished we can see that it generates an assessment report for this subscription **Iaas Migrations-Staging Subscription. But my teammate set this subscription Azure Stagging Subscription in her machine. I want that I can give access to anyone inside my Azure DevOps project and they set their desired subscription in their local machine trigger the pipeline and generate the assessment report for their subscription.

one thing to keep in mind is that in this whole process, I am using my laptop as a self-hosted agent. but my teammate does not.

Can anyone give me a proper solution for this problem without installing self-hosted on everyone's machine? Rather I am just using my machine as a self-hosted agent and I can give access to anyone inside my Azure DevOps project and they set their desired subscription in their local machine trigger the pipeline and generate the assessment report for their subscription.

I hope you understand my question and the scenario that I want to explain.**

Please help me.

Thanks in advance:)

5 Replies
Set a parameter in your pipeline that allows the user to specify a subscriptionId. Then use this subscriptionId parameter in your script. Have the other teammates invoke the pipeline with:
az pipelines run --name AssessmentTool_Report-CI --org https://dev.azure.com/DheemanDas --project test --parameters SubscriptionId={sub}

@Jacob_Peterson 

 

Your solution is not working. It is taking the Azure Subscription that is set in my Powershell. In my machine subscription "B" is set. So, I have cleared all my set subscriptions in my PowerShell by this command Clear-AzContext -Force. After that, my teammate set the Azure subscription in his machine-like he set a subscription "A".Now it should take subscription "A" and generate an assessment report about subscription "A". So, when he ran this command to trigger my pipeline az pipelines run --name AssessmentTool_Report-CI --orghttps://dev.azure.com/DheemanDas--project test. But It is taking the subscription "B" that is set in my machine. But I have cleared all my set subscriptions in the machine using this command Clear-AzContext -Force. Then why it is taking subscription B Why it is not taking my teammate's subscription that he set in his machine?
Can you please help me to solve this issue? How can I fix it permanently?

@Dheeman 

  1. If you do not have one already, create an AzureRM Service Connection in Azure DevOps.  Grant the Service Principal the appropriate role in each subscription that you want it to read from (likely reader would be sufficient).  Copy the Service Connection's ID to the clipboard.
  2. In your pipeline, add this new powershell task.  This will "target" the Service Connection to the subscriptionId that was passed in.

 

 

- pwsh: Write-Host "##vso[task.setendpoint id={YOUR SERVICE CONNECTION ID HERE};field=dataParameter;key=subscriptionId]${{ parameters.SubscriptionId }}"
  displayName: Set Subscription

 

 

3. Then change the task type for your script that you wrote.  Use the Azure CLI task with powershell and use this Service Connection that you created.  Now it should authenticate to the subscription you passed in and execute your script in that context.  It will not matter what you logged into last on your local machine.

Hi Jacob,

I am using the azure classic editor pipeline. How can I apply the 2nd and 3rd steps?

please help me:)

@Dheeman 

Please convert your pipeline to YAML. You can find some MS documentation here.