Unable to authorize Azure-Devops agent pool, received as a variable

Question

I have multiple agent pools that require a pipeline to request authorization. When I assign a hardcoded value like pool: STAGING to the pipeline, it stops and asks for authorization.

⚠️ This pipeline needs permission to access a resource before this run can continue to Update environments View

However, when I inject the pool name to the pipeline as a runtime variable, for example as part of a matrix strategy like this:

  - job: update
    strategy:
      matrix:
        dev:
          poolName: 'DEV'
        stg:
          poolName: 'STAGING'
      maxParallel: 2
    pool: $(pool)

It fails, with the authorization error:

##[error]Pipeline does not have permissions to use the referenced pool(s) AWS_STG_02_RELEASE. 
For authorization details, refer to https://aka.ms/yamlauthz.

But there's no prompt to authorize.

Answer 1

In Azure DevOps Services

For dynamically assigned pools you'll need to grant the pipeline access to the pool from the pool's configuration instead:

• Navigate to the Project settings
• Expand the Agent Pools blade
• Select the Agent pool you want to authorize
• On the Security tab add the pipeline with the   +   button

From the docs referenced in the URL that's mentioned in the logs:

Go to the administration experience of the resource. For example, variable groups and secure files are managed in the Library page under Pipelines. Agent pools and service connections are managed in Project settings. Here you can authorize all pipelines to access that resource. This authorization is convenient if you don't have a need to restrict access to a resource - for example, test resources.

In Azure DevOps Server

Unfortunately, this feature hasn't made it into Azure DevOps Server yet (last version checked: 2022.0). I do suspect the REST API exists under the hood.

You could try approving the pipeline by updating the agent pool permissions:

$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
Invoke-WebRequest -UseBasicParsing -Uri "https://dev.azure.com/jessehouwing/6484ebc3-af16-4af9-aa66-6b3398db7214/_apis/pipelines/pipelinePermissions/queue/24" `
  -Method "PATCH" `
  -WebSession $session `
  -Headers @{
    "method"="PATCH"
    "accept"="application/json;api-version=5.1-preview.1;excludeUrls=true;enumsAsNumbers=true;msDateFormat=true;noArrayWrap=true"
    "x-vss-reauthenticationaction"="Suppress"
  } `
  -ContentType "application/json" `
  -Body "{`"resource`":{},`"pipelines`":[{`"authorized`":true,`"authorizedBy`":null,`"authorizedOn`":null,`"id`":73}]}"

The id being passed in is the id of the pipeline definition.

Answer 2

Not a solution, but workaround. I changed a pool to a hardcoded value once. Reran the pipeline and granted the requested authorization. After doing it pipeline is already authorized to use the pool and can work with the agent pool set in runtime.