VSTS is well integrated with Azure and it’s very easy to get something deployed to a webapp / function / container from a build.
The integrated deployment options are all going through a Service Endpoint that is defined in the Services configuration panel of a given project in VSTS. Creating a new connection is as easy as connecting to a Microsoft account (personal or work), then selecting a subscription. However, the default endpoint creation provides write access to the entire subscription. This is because, behind the scenes, VSTS is using your account to create a service principal within Azure Active Directory, giving itself contributor access at the subscription level, and then authenticating itself through that principal.
It may work when playing around with VSTS, or in small organizations where everyone can do everything. However, in larger organizations, you may want to restrict a given project to certain resource groups, or either resources of the subscription. Conversely, you may want to do the opposite, and prevent having to create multiple endpoints by giving the principal access rights to more than just one subscription.
So the question is: how to restrict the permissions of VSTS’ principal?
We’ll be adjusting the principal’s access rights directly in the Azure portal by removing and adding relevant permissions
Let’s imagine I’m creating a connection for a subscription containing two resource groups corresponding to 2 departments: accounting and supply chain.
I’m setting up the VSTS project for the supply chain team, which should not have access to the accounting resources.
Update principal’s access rights
First, we’ll create a service endpoint for our project - in the ⚙/Services panel of the project1.
If I go ahead and create a new build in the Supply Chain project, and select the endpoint I just created, we can see all the resources in the subscription:
Having a look at the subscription level, we can see that a service principal has been created and made contributor2:
Fixing the access rights is then done by stripping the contributor rights on the subscription, and granting them on the resource group:
- Select the Service Principal in the IAM list on the subscription, then click remove
- Go into the Supply Chain resource group, then add the Service Principal as a contributor then save.
Now when looking at VSTS, we can check that only accessible webapps are listed3:
Alternatively, the service principal can be created directly in the AAD portal, or through scripting, then enrolled in VSTS using its client id and secret key. ↩
Service principal’s id can be found in the Service Endpoints’ configuration panel. Select the connection you created, then click “Advanced”, copy the client id, and searching for this id in your AAD should return only the corresponding user. ↩
You need to click on the “Refresh” button to actually see it, but access rights are fixed regardless. ↩