Azure devops 管道以哪个用户身份运行?
[英]which user do Azure devops pipelines run as?
问题描述
we have azure devops pipelines to build and deploy various projects.
我们有 azure devops 管道来构建和部署各种项目。
Rccently, we wanted to use the "azureblog file copy" pipeline to copy some files to a blob storage.最近,我们想使用“azureblog 文件复制”管道将一些文件复制到 blob 存储。
This needs write access to the storage account over in azure.这需要在 azure 中对存储帐户进行写访问。
Our administrator says that the pipeline runs as whoever manually runs the pipeline.我们的管理员说管道以手动运行管道的任何人的身份运行。 If this is true, we would have to give all devs and users read/write access to the blog storage, which would be crazy.如果这是真的,我们将不得不授予所有开发人员和用户对博客存储的读/写访问权限,这太疯狂了。
I assume he is wrong, and that pipelines run as a specific designated user no matter how they were kicked off.我认为他是错的,并且管道作为特定指定用户运行,无论它们是如何启动的。 The question is, how to find out what this user is for a given pipeine?问题是,如何找出给定管道的用户是什么?
The "edit pipeline" has a security tab near the top, adn this lists a but of "Azure Devops groups", which are presumably groups who have the ability to run the pipelines. “编辑管道”在顶部附近有一个安全选项卡,其中列出了一个“Azure Devops 组”,这些组可能是能够运行管道的组。
But where is the pipeline user defined?但是管道用户在哪里定义?
3 个解决方案
解决方案1
1 2022-07-08 15:21:30
I believe the pipeline runs as the "agent".我相信管道作为“代理”运行。 Who the "agent user" is will depend on, first, whether you've chosen a "Microsoft-hosted" or "self-hosted" agent to run your pipeline.谁是“代理用户”首先取决于您是选择“Microsoft 托管”还是“自托管”代理来运行您的管道。
解决方案2
1 2022-07-08 15:44:05
When running pipelines in Azure DevOps that are directly working with Azure Resources you need an Azure Resource Manager service connection.在直接使用 Azure 资源的 Azure DevOps 中运行管道时,您需要一个 Azure 资源管理器服务连接。 The credentials used to make the service connection are the credentials the pipeline will use when it runs.用于建立服务连接的凭据是管道在运行时将使用的凭据。
You can have your administrator provide you with an Azure AD account that has the permissions you need and then use that Azure AD account to create the service connection for the pipeline.您可以让管理员为您提供具有所需权限的 Azure AD 帐户,然后使用该 Azure AD 帐户为管道创建服务连接。 Once you have created the service connection you can use the ResourceID of that connection in place of you azureSubscription.创建服务连接后,您可以使用该连接的 ResourceID 代替您的 azureSubscription。
Here is the link to the Microsoft documentation on creating a service connection. 这是有关创建服务连接的 Microsoft 文档的链接。
Here is the link to the Microsoft documentation on the Azure file copy task. 这是有关 Azure 文件复制任务的 Microsoft 文档的链接。 To verify you can use the service connection in place of the azureSubscription.要验证您可以使用服务连接代替 azureSubscription。
解决方案3
1 2022-07-11 02:33:19
which user do Azure devops pipelines run as?
It depends on the context in which you are discussing the question.这取决于您讨论问题的上下文。
If you mean inside a pure DevOps service, then I can tell you that the user that the pipeline runs on is not the one who triggers the pipeline (which is the case with native DevOps services by default, unless you install some weird extension or have a problem with the pipeline special design), but this identity:如果您的意思是在纯 DevOps 服务中,那么我可以告诉您,运行管道的用户不是触发管道的用户(默认情况下,原生 DevOps 服务就是这种情况,除非您安装了一些奇怪的扩展或有管道特殊设计有问题),但这个身份:
<Project Name> Build Service Account <Project Name> Build Service帐号
'run as someone' is just a property of pipeline run. “以某人身份运行”只是管道运行的一个属性。 Pipeline run as 'Build Service Account'(On the DevOps side), If you need a pipeline to download or upload an artifact, you can clearly feel this.管道作为“构建服务帐户”运行(在 DevOps 方面),如果您需要管道来下载或上传工件,您可以清楚地感受到这一点。 If the account mentioned above has no permission, you can't do anything.如果上面提到的帐户没有权限,你就不能做任何事情。
If you mean the user's operations based on the Azure side, then I can tell you that for native DevOps service, the 'user' that the pipeline performs operations on the Azure side is not the person who triggers the pipeline.如果你的意思是用户的操作基于 Azure 端,那么我可以告诉你,对于原生 DevOps 服务,管道在 Azure 端执行操作的“用户”不是触发管道的人。 The pipeline of DevOps service consists of multiple tasks, and tasks generally interact with other services through service connection (you can find this in Project settings). DevOps 服务的管道由多个任务组成,任务一般通过服务连接与其他服务交互(可以在项目设置中找到)。
There are many types of service connections.有许多类型的服务连接。 When interacting with services in Azure, this type is generally used:在 Azure 中与服务交互时,一般使用这种类型:
Azure Resource Manager -> Service principal
When you create a service connection of this type on the DevOps side, Azure will also create an AAD app related to this service connection, and this ADD app corresponds to a service principal in Azure.当你在 DevOps 端创建这种类型的服务连接时,Azure 也会创建一个与该服务连接相关的 AAD 应用,而这个 ADD 应用对应于 Azure 中的一个服务主体。 In Azure, permissions are assigned based on service principals or users, and your DevOps pipeline's operations to Azure are based on this service principal and have nothing to do with anything else in DevOps.在 Azure 中,权限是根据服务主体或用户分配的,您的 DevOps 管道对 Azure 的操作基于此服务主体,与 DevOps 中的任何其他内容无关。 On the Azure side, this service principal can be considered as an Azure-side 'avatar' of the tasks of the DevOps pipeline.在 Azure 端,此服务主体可被视为 DevOps 管道任务的 Azure 端“化身”。
If you are interacting with Azure through pure code/pure script, then please follow the logic of the script/code.如果您是通过纯代码/纯脚本与 Azure 交互,请遵循脚本/代码的逻辑。
Our administrator says that the pipeline runs as whoever manually runs the pipeline.
For native DevOps service, of course not.对于原生 DevOps 服务,当然不是。 Unless this pipeline has a special design.除非这条管道有特殊设计。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.