I'm attempting to download a file using an Azure DevOps task but hitting a roadblock. The task fails with a warning that no credentials are provided, suggesting I should specify either a connection string, account key, or a SAS token. Here's how I've set it up:
- Task: AzureCLI@2 for downloading a blob.
- My script is set to use auth mode login to avoid generating SAS tokens repeatedly.
- My service principal has contributor access in my Azure subscription.
- I've also ensured that the outbound IP of the ADO agent is allowed by the storage account's network settings.
Despite this, I'm getting an error indicating that the network rules of the storage account may be blocking the request. I've run the suggested command to check the network rule set, but I'm not sure what the next steps should be. Can anyone point me in the right direction?
2 Answers
Consider using self-hosted agents for your Azure DevOps tasks. They reduce the hassle of constantly updating service firewalls whenever a deployment happens. I’ve found them much more manageable overall, despite the initial setup effort.
It sounds like your service principal might not have the necessary access rights to the specific storage account. Even though you're a contributor, you'll need to assign the Storage Blob Data Reader role to your service principal for that storage account to access the files properly. Make sure to check if you've assigned the right roles!
I ran into a similar issue! Caught me off guard since I assumed being a contributor was enough. Adding the right role sorted it out for me.
Yeah, I get the appeal of Microsoft-hosted agents, but self-hosted gives you more control—less hassle with network rules too.