Has anyone deployed a function apps with a self-hosted agent? looks like the ADO tasks all require a service connection.
- task: AzureFunctionApp@2
inputs:
connectedServiceNameARM: # string. Alias: azureSubscription. **Required**
We have a hub-spoke architecture with a ton of security and have the agents deployed to each hub, that's how we currently deploy.
Also can't create a service connection to our government subs.
1 Answer 1
Whether you're using a self-hosted agent or Microsoft provided cloud agent, you'll need credentials in the Azure Subscription. You're going to need a service principal of some kind.
Service Connections are the preferred and fundamental concept for securely abstracting away endpoint and credential details from the pipeline authors. The vast majority of tasks in the azure devops marketplace are engineered with this concept and require a service connection. Service Connections also offer additional levels of security in that each pipeline must be authorized by the service connection owner, and approvals and checks can be applied to regulate their use with approvals, business hours, etc. Service Connections also support workload identity federation (oidc) so there are no application secrets that need to be recycled.
Assuming your hub-and-spoke model uses separate subscriptions for the spokes and a common AD tenant in the hub, you can either:
- create a single identity (service principal) and grant it the necessary credentials to each subscription. Create one service connection that targets the Management Group (instead of the subscription); or
- create an identity per subscription with the appropriate credentials. Create a service-connection per identity.
Azure DevOps supports service connections that target Azure Government.
If you don't have the authority to create the service principal, the service principals can be created by an admin and then manually configured within Azure DevOps.
2 Comments
Explore related questions
See similar questions with these tags.