1

It's clear that you can set which roles can deploy to a certain on-premise server thanks to the security settings in Deployment Groups and Agent pools. But, any way of restrict access at webapp level?

The only ways I found are:

  1. Creating a specific account, giving it deploying permissions in target server's IIS in required webapps only and provide this credentials to developers on charge of creating the pipelines for deploying those webapps (they will put them as custom environment vars or similar in pipelines)

  2. Same than 1 but using the created account as a service account for an agent. Access to this agent will be restricted to developers on charge of creating the pipelines for deploying those webapps.

Both cases require to create new accounts and to give permissions on server's IIS. No way of doing this from Azure DevOps on the same way that access to whole servers can be restricted?

Regards.

Josto
  • 137
  • 11

2 Answers2

1

It's clear that you can set which roles can deploy to a certain on-premise server thanks to the security settings in Deployment Groups and Agent pools. But, any way of restrict access at webapp level?

Sorry but as I know Azure Devops Service doesn't support such out-of-box feature.

We can manage the access in Organization level(Organization settings), Project Level(Project settings), Feature Level(Security of Pipelines/Deployment Groups feature...) and even the 'instance Level' (Set security for one specific pipeline/deployment group/one specific git repo).

But the 'instance level' is the lowest level, we can only manage the access in specific pipeline or specific deployment group but not one webapp which will be deployed by pipeline/deploymentGroup.

The webapp is not an option hosted by Azure Devops Service, it's just something to be deployed by pipelines(hosted by Azure Devops Service). So Azure Devops Service avtually have no knowledge about the webapp(it also won't have UI that represents one webapp), that's why we can manage the access in pipeline but not webapp in that pipeline...

Update 1

Once you have only one deployment group for the specific target server, you can determine who can access the deployment group here:

enter image description here

The person who is assigned with reader permission can't use the deployment group to do the deploy.

halfer
  • 19,824
  • 17
  • 99
  • 186
LoLance
  • 25,666
  • 1
  • 39
  • 73
  • Thank you for your answer :) What do you think about the two options I proposed to workaround the problem, any other(better or simpler) way to achieve it? Regards – Josto Jun 05 '20 at 07:43
  • @Josto For the above two options, I prefer option1. (Just personal idea) I have no simpler way and I'm a bit confused about why you want to restrict access at webapp level? I mean, we can set repos access level to protect your code, set pipeline access to control the steps of your CI/CD, set deployment group to protect your target server....But what are you trying to protect when limiting access in app, maybe it's a x-y problem?(anyway, vote for your question~) – LoLance Jun 05 '20 at 08:09
  • Because in each of our IIS Servers there are several webapps developed by several teams. Every team is on charge of creating its own CD pipelines. An accident (or an attack) could drive to break an app (or the whole server). I just applying the least privilege principle. – Josto Jun 05 '20 at 08:33
  • Hmm, got it. Thanks for the detailed info. Not sure which option you will choose finally, consider using [secret variables](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch#secret-variables) if you finally will pass the credentials in pipelines. – LoLance Jun 05 '20 at 08:38
  • Just imagining: Could it be possible to create an Azure DevOps service connection to a web app hosted in my on-premise server? – Josto Jun 08 '20 at 08:26
  • 1
    It seems there's no suitable official service connection for this requirement, so it's impossible for now. Also, if you're interested in creating custom service connection, [this](https://learn.microsoft.com/en-us/azure/devops/extend/develop/service-endpoints?view=azure-devops) would be helpful. – LoLance Jun 08 '20 at 09:55
  • Custom service connection is exactly what I was thinking in, but assuming that we could make accesible to Azure DevOps the on-premise server, what task could I use for this? (IIS Web App Deploy task would be able to use the service connection?). Moreover: can I create a custom service connection linking to the IIS hosted on server? – Josto Jun 08 '20 at 10:24
  • 1
    The [IIS Web App Deploy task](https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/iis-web-app-deployment-on-machine-group?view=azure-devops) doesn't accept service connection as input, so it won't take your service connection. Per my experience, the third-party company always develop custom service connections together with custom tasks. Like this [custom extension](https://marketplace.visualstudio.com/items?itemName=tsuyoshiushio.k8s-endpoint)... It would need plenty of work. – LoLance Jun 09 '20 at 09:22
  • Nice Example. I will check that source code. Thanks for your help! – Josto Jun 09 '20 at 10:50
0

Ok, following the suggestion from @Lance and after some research, this is what I´m planning to do:

  1. Creating a custom service connection where following fields can be set: IIS Server where the WebApp is, Webapp name, User (with permissions to deployment) and Password.
  2. Together with the Custom Service connection I will provide a custom task where developer team can select the service connection against they want to do the deployment (obviously, server admins will only configure service connections to webapps which this team is allowed to deploy).
  3. Agent will run with a low-privileged account (no way of affecting any app) and the custom task will use internally the creds provided on service connection to perform the deploying.

I think that approach is the best workaround to the initial problem and can be extensible to fix the granularity problem in other kinds of resources (like DB´s, Shared Folders, ...) just simply adding another specific custom service connection (to specify the resource and the deployment credentials) and a linked Custom task which allows deployments only against that resource.

The only drawback is the fact that, if you want to set a deployment approval, you have to do it at resource level (for every webapp, for every DB, ...) and that means that approvers will have to approve resource by resource when deploying also (instead of a single approval for the whole application deployment as, in my understanding, should be)

What do you think guys? Any remark before start coding this?

Regards.

Josto
  • 137
  • 11