I am trying to setup Team Foundation Server Build Automation in my local desktop. I am giving my credentials the service to be run as and my credentials has Admin privileges for the Team Collection as per the IT team. But I am getting the below error
[ Verify that the running account has the required Team Foundation
Server permissions ] Failed to create BuildServiceHost object. User
DOMAIN\MyUsername needs the 'ManageBuildResources' permission.
What am I missing here?
Seems you provided your personal domain account in Build Service Properties window as the Build Service account.
Just as the error info mentioned, please double check the account's permission in your Team Project Collection level, ensure it has the Manage build resource permission. You could ask your TFS admin using tf permission command to list all related info.
Moreover the Build Service account usually add in [CollectionName]\Project Collection Build Service Account group. If you haven't join this group, then add your account.
Related
I have following permissions in google cloud.
BigQuery Admin
Cloud Functions Admin
Cloud Scheduler Admin
Compute Admin
Editor
Source Repository Administrator
Storage Admin
I am creating a cloud run container using cloud repository. But getting following error.
ERROR: build step 2 "gcr.io/google.com/cloudsdktool/cloud-sdk:slim"
failed: step exited with non-zero status: 1 ERROR Finished Step #2 -
"Deploy" Step #2 - "Deploy": ERROR: (gcloud.run.services.update)
PERMISSION_DENIED: Permission 'run.services.get' denied on resource
'namespaces/buypower-mobile-app/services/test-repo' (or resource may
not exist).
If you're using Cloud Build to deploy the Cloud Run service, then the error you’re getting is because the Service Account used by Cloud Build does not have sufficient permissions to update the Cloud Run service, according to the official documentation.
The specific error is that permission is denied on run.services.get. This method is part of either roles/run.admin or roles/run.developer. Both roles include the permission run.services.update, which it'll need.
To get it working, you will need to add that one of those roles to the Service Account that is being used by Cloud Build.
Along with #DazWilkin's answer I was having difficulty determining whether the service account actually had the run.services.update permission. Especially since I was using Github Actions with Workload Identity Pools for auth and impersonating a service account.
I'd recommend doing the following:
Check if your auth is working correctly
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth#v0'
with:
workload_identity_provider: 'projects/xxxxx/locations/global/workloadIdentityPools/my_pool/providers/my_provider'
service_account: 'my-service-account#{PROJECT_ID}.iam.gserviceaccount.com'
# this will make this step fail if auth fails
token_format: 'access_token'
Check if the service account used above and in the google-github-actions/deploy-cloudrun#v0 has the run.services.update permission. There are 2 places you can check.
a) Policy Troubleshooter - Use the service account, select your project, and enter the permission. This will immediately tell you whether you have the permission or not
b) Policy Analyzer - Create Custom query, use Permission as parameter, click continue and Run Query. This will show you all the principals that have the permission you're looking for
If your service account doesn't have the correct permission you need to add it from the IAM & Admin -> IAM page
I'm quite new to github actions and gcloud. I have trouble to get my github-CI/CD-Pipeline running because I can't push any docker image to the google Cloud Registry due to access restrictions.
What have I done so far:
I have a Quarkus app hosted on github
I used github actions to build the Maven project and the docker image
I created a project in google Cloud and added a service account which I use for the github action. The login seems to work:
Run google-github-actions/setup-gcloud#master
/usr/bin/tar xz --warning=no-unknown-keyword -C /home/runner/work/_temp/ac85f67a-89fa-4eb4-8d30-3f6379124ec2 -f /home/runner/work/_temp/de491940-a4b1-4a15-bf0a-95d563e68362
/opt/hostedtoolcache/gcloud/342.0.0/x64/bin/gcloud --quiet config set project ***
Updated property [core/project].
Successfully set default project
/opt/hostedtoolcache/gcloud/342.0.0/x64/bin/gcloud --quiet auth activate-service-account github-actions#***.iam.gserviceaccount.com --key-file -
Activated service account credentials for: [github-actions#***.iam.gserviceaccount.com]
If I now try to push the docker image I get the following (expected) error message:
Run docker push "$GCR_HOSTNAME/$PROJECT_ID/$IMAGE:$IMAGE_TAG"
The push refers to repository [eu.gcr.io/***/***]
715ac1ae8693: Preparing
435cfe5f5775: Preparing
313d03d71d4d: Preparing
c5c8d86ccee1: Preparing
1b0f2238925b: Preparing
144a43b910e8: Preparing
4a2bc86056a8: Preparing
144a43b910e8: Waiting
4a2bc86056a8: Waiting
denied: Token exchange failed for project '***'. Caller does not have permission 'storage.buckets.get'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control
Error: Process completed with exit code 1.
Next, I opened the Google Cloud Console and created a custom role (IAM & Admin -> Roles -> Create Role) which has the necessary permissions.
Then, I had trouble to assign my new custom role to the service account (IAM & Admin -> Service Accounts -> Manage Access -> Add member). I used the email address of the service account as "New members", but I could not choose the custom role I just created. What am I missing here?
I read somewhere that I can also add service accounts as member (IAM & Admin -> IAM -> Add). Again I used the email address of the service account as "New Members". This time I could choose my custom role. What's the difference to the first approach?
Anyways, if a I try to run the github action again, now I get the following error:
Run docker push "$GCR_HOSTNAME/$PROJECT_ID/$IMAGE:$IMAGE_TAG"
The push refers to repository [eu.gcr.io/***/***]
c4f14c9d3b6e: Preparing
fe78d438e8e2: Preparing
843fcae4a8f4: Preparing
dcf8cc80cedb: Preparing
45e8815b101d: Preparing
144a43b910e8: Preparing
4a2bc86056a8: Preparing
144a43b910e8: Waiting
4a2bc86056a8: Waiting
denied: Access denied.
Error: Process completed with exit code 1.
The error message is different, so I guess the permission for the service account somehow worked, but still I can't succeed. Which steps did I miss?
Any help is highly appreciated. Thanks a lot!
One way to debug this is to create a key for the service account on your local host, configure your script|gcloud to use the service account as its credentials and then try the push manually.
One immediate problem may be that you're not authenticating against Google Container Registry (GCR). GCR implements Docker's registry API and you'll need to use one of the mechanisms to authenticate before you can interact with the registry.
Notes:
I think you don't need to create a custom role. You have 2 options. Either (preferred) create an account specifically for the CI/CD job and grant it the minimum set of roles needed including storage.buckets.get. I think you can start with roles/storage.admin (link) and perhaps refine later.
You can grant roles e.g. roles/storage.admin to a Project in which case the permission applies to all Cloud Storage resources or to a specific Bucket in which case the permission applies only to the bucket and its objects.
Service Accounts have a dual role in GCP. As an identity and as a resource (that can be used by other identities). It can be confusing.
We currently have upgraded our Team Foundation Server 2015 to Team foundation server 15, RC1.
But i cannot get our existing or new build agents running. The error we got is always the same.
No agent pool found with identifier 1 (or 2, ....).
I have checked the database and there is an agent pool with that ID.
Any idea anyone?
thanks.
If the build agent pool definitely exists, but the error is can't find the agent pool. Then the issue is very likely related to permissions.
When configuring the build agent(new created or existed), you need to make sure the account which running the configure command or script have enough permission.
The user account needs to be part of the Agent Pool Administrator Accounts.
Update
Try below ways to narrow down the issue:
First check in that if the build server is available and enabled in
TFS at https://YOURCOMPANYNAME:8080/tfs/_admin/_AgentQueue, and
your build agent should be “Green”.
Make sure the agent is in interactive mode.
Try to change a domain account which is a member of the Build
Agent Service Accounts group and belongs to "Agent Pool Service
Account" role, to see whether the agent would work or not.
Double check whether there are some Firewall interface block the
build, try to disable all related settings.
Update 2
Browse the Control Panel - Team Project Collection - Team Project- Agent queues- click agent pool - Roles- click Add... - Add your user ID and select Administrator in Role
After this try again.
Thanks for your time, however the issue is solved with Microsoft support.
It turned out that my default access level was stakeholder, while build permissions are in the basic. So i had to change the default access level to Basic.
That's obvious a bug in the new RC1, but like you said, it was some kind of a permission issue.
thanks again.
I had the exact same thing: an existing build server, which was working until somebody upgraded it. Error message in the .\BuildAgent_Diag\ folder kept saying
Failed to create session. Sleeping for 10 seconds before next retry
----------------------------------------
Microsoft.TeamFoundation.DistributedTask.WebApi.TaskAgentPoolNotFoundException: No agent pool found with identifier 7.
I already had the service running as a domain account with "build admin" permissions.
The solution was to run 'ConfigureAgent' again: Open a command prompt as administrator. Change directory to your 'BuildAgent' folder (or where ever your 'ConfigureAgent.cmd' file is located) and run 'ConfigureAgent.cmd'. It will ask a few questions. I stayed with the current settings. I had to enter the password for the service account. Eventually the wizard completed and everything worked again.
I am trying to connect my Deployment agent to RM client from different domain. I created a shadow account and all other .Still it is not working. I am able to connect with same domain. My RM client and server is in same machine (VM). and my deployment agent is in different workgroup domain.(everything is in VM's) I am getting below error from the log file.
Created Nt account for user RM.user1
Found Sid S-1-5-21-2704102820-366803756-3152234569-1011 for user RM.user1
Is RM.user1 network service account? False
Created Nt account for user RM.user1
Found Sid S-1-5-21-2704102820-366803756-3152234569-1011 for user RM.user1
Is RM.user1 local system account? False
Domain:
Final UserName: SVWP500\RM.user1.
Loading account details for SVWP500\RM.user1
Is SVWP500\RM.user1 local machine account? True
Normalized account is SVWP500\RM.user1 and Sid is S-1-5-21-2704102820-366803756-3152234569-1011
Validating account to use as identity for Release Management Services...
IsAdminAccount : Trying to determine if the account : SVWP500\RM.user1 is an admin on the local machine
IsAdminAccount : Trying to determine if the account : SVWP500\RM.user1 is an admin on the local machine
User SVWP500\RM.user1 is system, Admin
Validated account to use as identity for Release Management Services.
Validating Release Management Server for Team Foundation Server 2013....
ServiceUserIsServiceUser="1" InstallerUserIsReleaseManager="1" />, Release Management Server for Team Foundation Server 2013 validation succeeded.
Received Exception : System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at System.Security.Cryptography.Utils.SetKeySetSecurityInfo(SafeProvHandle hProv, CryptoKeySecurity cryptoKeySecurity, AccessControlSections accessControlSections)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at Microsoft.TeamFoundation.Release.CommonConfiguration.Helpers.CryptoHelper.<.ctor>b__2(CspParameters container)
at Microsoft.TeamFoundation.Release.CommonConfiguration.Helpers.CryptoHelper.ConfigureDeployerCryptoKey(String userName)
at Microsoft.TeamFoundation.Release.CommonConfiguration.DeployerConfigurationManager.Configure()
at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)
Work completed for GetConfiguration() call : got out of turn error
Please help on this.
Looks like the account you are using to register the deployment agent hasn't got the permission to access to release management. Because next step after Team Foundation Validation is updating deployment configuration.
I, 2015/02/13, 08:25:54.156, Release Management Server for Team Foundation Server 2013 validation succeeded.
I, 2015/02/13, 08:25:54.236, Updating Microsoft Deployment Agent 2013 configuration settings...
V, 2015/02/13, 08:25:54.238, Successfully read Release Management deployer registry key, installation path is C:\Program Files (x86)\Microsoft Visual Studio 12.0\Release Management\
V, 2015/02/13, 08:25:54.251, Opening configuration file C:\Program Files (x86)\Microsoft Visual Studio 12.0\Release Management\bin\Microsoft.TeamFoundation.Release.Data.dll.config
I have a similar step up and below are the steps I did to make it work in my environment
Create a local user (RMServer) on both DomainA\RMServer & DomainB\DeploymentAgentServer machines. Add the users to administrators group
Create a local user (DeployAgent) on both DomainA\RMServer & DomainB\DeploymentAgentServer machines. Add the users to administrators group
From Release Management client add .\RMServer account and grant both "Service User" and "Release Manager"permissions (please note on windows account test box don't use machinename\user, just add .\user)
From Release Management client add .\DeployAgent account and grant "Service User" (please note on windows account text box don't use machinename\user, just add .\user)
Install the Deployment Agent on DomainB\DeploymentAgentServer as DeployAgent user (created in step 2)
I was using the Microsoft & Wouter de Kort blog
I am using VSSConverter.exe to migrate from VSS to TFS (About time too). I am having an issue because the account I am running it under is not on the same domain as the TFS server. Is there any way to tell the VSSConverter.exe tool which server account to use?
For example when I use the tf command line I add the /login:myname,mypassword switch like this:
C:> tf dir $\ /login:myname,mypassword etc...
Is there some way I can do the same with the VSSConverter.exe?
The error I am getting by is this:
TF60071: Your user account does not have permission to connect to the Team
Found ation Server 'https://www.example.com/tfs/DefaultCollection'.
Please contact your Team Foundation Server administrator and request that
the appropriate permission be added to your account.
VSSConverter.exe will try and connect to TFS with the account that it is currently running as. Sometimes that account cannot be added to TFS, or used with TFS - e.g. There is no domain trust between the two domains.
To specify alternate credentials, you can use the windows credential manager to store them. VSSConverter will then try and use these to connect to the server.
In Windows 7, you can do this:
Control Panel > User Accounts > Manage Windows Credentials > Add a Windows credential
Network address: www.example.com
User name: DOMAIN\user
Password: Password
You can also get to it by going to:
Start > Run
Type: **rundll32.exe keymgr.dll,KRShowKeyMgr**