azure-pipelines-agent: Can't Authorize YAML Build Task to Use Service Connection

When I try to build my source using the yaml below;

pool:
  vmImage: 'Ubuntu 16.04'

variables:
  imageName: 'xxxredactedxxx'
  projectfolder: 'xxxredactedxxx'

steps:
- script: docker build -f $(projectfolder)/Dockerfile -t $(imageName):$(build.buildId) -t $(imageName):latest .
  displayName: 'docker build'

- task: AmazonWebServices.aws-vsts-tools.ECRPushImage.ECRPushImage@1
  displayName: 'Push Image: '
  inputs:
    awsCredentials: 'AWS'
    regionName: 'eu-west-1'
    sourceImageName: '$(imageName)'
    repositoryName: '$(imageName)'
    autoCreateRepository: true

I get the following error;

Job phase1: Step input awsCredentials references service connection AWS which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz

I confirm I have a service connection named AWS.

I tried reading the link in the error message. However, the article doesn’t show any directions on how to authorize the build to use the service conneciton.

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 1
Comments: 21 (7 by maintainers)

Most upvoted comments

@HasanAyan the trick is, if you make a trivial edit to the definition in the web (e.g. add a variable) then save your build definition, vsts will scan your yaml file and authorize the service connection you just referred to.

@rhummelmose we completely agree. This is too much friction.

The next step is, we are working on a resource authorization experience on the definition editor page. From that page, you should be able to see what resources are authorized (service connections, queues, secure files), and authorize additional resources. I believe this will be landing in the next 1-2 sprints. We work in 3-week sprints.

I agree that in a project you should have an easy way to consume any service connection. This makes the most sense for small team scenarios. Larger organizations may want more control; we have thoughts about additional features to control policy. Solving these problems is on our backlog.

ericsciple on Sep 24, 2018

How about we just get this fixed so we don’t have to jump through hoops 😃

rhummelmose on Sep 24, 2018

I had this same issue. I followed the instructions from the old documentation which fixed my issue. Basically, you need to go through the web UI to get it to reload the build definition and authorize the connection.

gatkin on Sep 22, 2018

But then, this makes me question, why is there a build definition authorization at all? Maybe the build definitions in a project should be allowed to consume the service connections in the same.

Word. But then again, that would be easy and fun to use.

sebastianhaas on Sep 18, 2018

@sugarjig : I believe this is pure Service Connection Authorization problem, just like @HasanAyan explain it in the previous post :

[…] If you include access to your service here and save your build definition, vsts will scan your yaml file end authorize the service connection you just referred to. Everything will work.

However, if your yaml file didn’t utilize a service connection initially and you would like to include it in your build definition later on by doing a commit, vsts will not scan the yaml file again to discover and authorize the service connection uses.

Just like you said, I hope this is NOT a normal behavior !

SachaLhopital on Sep 14, 2018