Uploading files from AzureDevops
When you deploy things to Azure you often find yourself using the Azure File Copy task. Sometimes to allow an APIm deploy to read policy files, sometimes when you use ARM master templates and sometimes just to deploy files to a storage.
Using minimal access levels
When deploying from Azure DevOps you use a Service Connection. That connection is represented as an Application Registration and Enterprise Application in your Azure Tenant.
Using the Enterprose Application you set the access rights needed by Azure Devops in order to deploy ARM-templates or upload files.
One way of solving a problem is to use the big hammertm and just make the Service Connection identity subscription Owner, but, like a big hammer, that can cause big problems. I like using the minimal approach. Do not assign higher access rights than the deployment needs.
What is needed to upload
They are really strange but these are the exact, minimal access-rights (or role assignments) needed for the storage account you want to upload a file to.
| Role | Scope |
|---|---|
| Contributor | The Storage Account |
| Reader | The Resource Group containing the storage account |
| Storage Blob Contributor | The Storage Account |
But wait there is more
Additionally you need to create the Container you want to upload files to. If you do not create the container, you will get a very misrepresenting error along the lines of
[error]Storage account: [accountname] not found. The selected service connection 'Service Principal' supports storage accounts of Azure Resource Manager type only.
Yeah, I did this … don’t make the same … mistake. I mean, the error does say that it cannot find the storage account. It should say
[error]Storage URI: The URI [URI here] was not found. Make sure the whole URI exists and is accessable by the Service Principal.