How to set up automatic permissions for newly created pipelines on environments and self-hosted agents

Question

We are utilizing devops yaml pipelines to automatically create new projects including pipelines supposed to run on these projects. In the pipelines we specify environments and vms on which the pipe is supposed to run.

sample permission message

we can of course manually approve this, but we want to automate this step with the help of the devops API. The respective API calls require an agent pool id for the authentication.

When assigning an agent to a pool directly, this works, however as soon as we assign the agent to an environment, it vanishes from the agent pools and can not be found again.

Can someone explain how to properly configure this or see if you are able to reproduce this issue on your end?

We tried setting up multiple agents and installing the agent through the agent pool installation setup as well as the environment setup. Reconfiguring the agent to the environment will result in the agent vanishing from the pool. Agents configured through the environment script in the first place will never show up in the agent pool.

---

EDIT: Some added context in response to the proposed solution:

Sample Approval request

In the screenshot we can see that there is two different approvals required. The latter can be granted with the second example statement provided.

The first one however does not succeed for the agent pool in example.

Error Message: The resource doesn't exist or the user doesn't have use permission.

I am not entirely sure which ID should be added to the request here, but it does not seem to work with either the one shown in the above example (597) and the one i can find if i look up the pool itself (111). I figured out that i could not find the agent pool under agent pools because it is actually a deployment pool.

Hope that clarifies a little further. Is there a specific endpoint we can address to approve this deployment pool?

---

EDIT2: we managed to approve resources individually now. The only issue still unresolved is to figure out how to approve multiple resources in one request, to cut down complexity.

Answer 1

When you use Azure DevOps Api to approve the Environment and Agent Pool, they will use the different API URLs. It can be the cause of the issue.

Approve Agent Pool:

PATCH https://dev.azure.com/{Orgname}/{Projectname}/_apis/pipelines/pipelinePermissions/queue/{poolid}?api-version=5.1-preview.1

Request Body:

{"pipelines":[{"id":{PipelinedefinitionID},"authorized":true}]}

Approve Environment:

PATCH https://dev.azure.com/{Orgname}/{Projectname}/_apis/pipelines/pipelinePermissions/environment/{environmentid}?api-version=5.1-preview.1

Request Body:

{"pipelines":[{"id":{PipelinedefinitionID},"authorized":true}]}

When you use the Azure DevOps API to approve the environment, you need to use the correct Api and find the Environment Pool ID in the Environment URL.

For example:

On the other hand, you can also open access to all pipelines in Environments-> Security -> Pipeline permissions

For example:

In this case, all new/old pipelines will automatically get the access to use the environments without approval.

Update:

I can reproduce the same situation.

To approve the deployment pool, we need to use the following Rest API:

PATCH https://dev.azure.com/{Orgname}/{Projectname}/_apis/pipelines/pipelinePermissions/agentpool/{agentpoolid}?api-version=5.1-preview.1

Request Body:

{"pipelines":[{"id":{PipelinedefinitionID},"authorized":true}]}

We can get the agent pool id in the deployment pool URL.

Since they are using the different Rest APIs to approve the request, we are not able to do the actions in one request.

We can consider using the PowerShell script to approve the request at the same time.

For example:

$token = "PAT"
$url1="https://dev.azure.com/{ORG}/{Project}/_apis/pipelines/pipelinePermissions/environment/{envid}?api-version=5.1-preview.1"
$url2="https://dev.azure.com/{ORG}/{Project}/_apis/pipelines/pipelinePermissions/agentpool/{AgentPoolID}?api-version=5.1-preview.1"

$token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$token"))

$body= @'
{
     "pipelines":[
         {
             "id":pipelineid,
             "authorized":true
             }]
}

'@

$response = Invoke-RestMethod -Uri $url1 -Headers @{Authorization = "Basic $token"} -Method PATCH -Body $body -ContentType application/json 
$response = Invoke-RestMethod -Uri $url2 -Headers @{Authorization = "Basic $token"} -Method PATCH -Body $body -ContentType application/json 

If you only use the Environment agent in the YAML Pipeline, you can remove the Environment Agent pool in the Deployment Group. Then it will only show one request when you run the Pipeline