Using Service Connections in Pipeline

In this guide, we explore how to use service connections in Azure Pipelines to securely access external resources without exposing sensitive credentials. Service connections are a cornerstone of modern DevOps practices, enabling seamless and secure interactions with resources such as Azure subscriptions, GitHub repositories, Docker registries, and more.

Service connections act as secure bridges between your pipelines and external services. They help centralize authentication details and remove the need to hardcode passwords or other sensitive data within your scripts.

The image illustrates the flow of service connections in Azure Pipelines, showing the sequence from Azure Pipeline to Azure Resource Manager Service Connection, Service Principal, and Resource Group, with a role associated with the Service Principal.

This setup not only enhances security but also streamlines the interaction with external resources.

What Are Service Connections?

Service connections in Azure DevOps are pre-configured settings that store the authentication details required to access external services. This means that your pipelines can log in automatically without manual credential entry every time.

The image is an introduction to service connections in Azure Pipelines, showing a diagram with "Credentials," "Authentication Details," and "Service Connections" linked to "External services," along with the Azure DevOps logo.

This flexible approach supports a wide range of services, including:

Azure: Deploy and manage Azure resources.
GitHub: Pull and push code from repositories.
Docker: Interact with Docker registries for container images.
Kubernetes: Connect to Kubernetes clusters for seamless deployments.

A key benefit of using service connections is enhanced security. By centralizing sensitive information, you significantly decrease the risk of exposing credentials in your pipeline code.

Azure DevOps offers various types of service connections tailored to different services:

Azure Resource Manager Connection: Best for interacting with Azure resources using a service principal.
GitHub Connection: Supports OAuth and Personal Access Token-based integration with GitHub.
Docker Connection: Designed for actions like pulling base images or pushing container images.
Kubernetes Connection: Ideal for Kubernetes deployments via kubeconfig files or service accounts.

Additional connection types, such as Bitbucket or Jenkins, are also available. It is crucial to select the appropriate connection based on the service to ensure automated access remains secure.

How to Create a Service Connection

Creating a service connection in Azure DevOps is a straightforward process. Follow these steps:

Open your project settings in Azure DevOps.
Locate the gear icon in the bottom left of the page.
Under the Pipelines section, select Service Connections.
Click on New Service Connection to open a list of available connection types, and choose the one that corresponds to your target service.

After selecting the required type, provide the necessary details (such as the authentication method and credentials). For instance, when setting up an Azure connection, you might need a service principal ID, a key, and a tenant ID. It is essential to secure these credentials appropriately.

The image is a step in a guide titled "Creating a Service Connection," instructing to go to the project settings in an Azure DevOps project.

The image shows instructions for creating a service connection, highlighting the need to provide authentication methods, credentials, and other settings. It includes a form for setting up a new NuGet service connection with options for authentication methods and other details.

Tip

Test your connection before saving it. Assign a descriptive name that you will refer to in your pipeline code to simplify management and future updates.

Setting Up Specific Service Connections

Azure Resource Manager Connection

Azure Resource Manager (ARM) connections are widely used for deploying and managing Azure resources. To set one up:

During the creation process, select Azure Resource Manager.
Choose your authentication method, typically involving a Service Principal—this account should have the minimum permissions required according to the principle of least privilege.
Enter the service principal details, including the ID, key, and tenant ID (available from Azure Active Directory).
Select the Azure subscription and, if necessary, a specific resource group to limit the scope.
Make sure the service principal’s permissions are the minimum needed for your pipeline tasks.

The image shows a configuration screen for setting up an Azure Resource Manager (ARM) connection, highlighting the selection of an authentication method, with options like service principal and workload identity federation.

The image shows a step in configuring an Azure Resource Manager (ARM) connection, instructing to select the Azure subscription and optionally the resource group, with a screenshot of the "New Azure service connection" interface.

GitHub Connection

Setting up a GitHub service connection allows your pipeline to access GitHub repositories. There are two main authentication choices:

OAuth: Authenticate by logging into GitHub through Azure DevOps.
Personal Access Token (PAT): Use a PAT created in GitHub with appropriate repository access permissions for greater control.

After configuring the authentication, test the connection before saving it.

Using Service Connections in Pipelines

Service connections can be integrated into both YAML and Classic Pipelines. The example below demonstrates how to use an Azure connection in a YAML pipeline with an Azure CLI task:

jobs:
  - job: deploy
    pool:
      vmImage: 'ubuntu-latest'
    steps:
      - task: AzureCLI@2
        inputs:
          azureSubscription: '<your-service-connection-name>'
          scriptType: 'bash'
          scriptLocation: 'inlineScript'
          inlineScript: 'az login --service-principal -u $(clientId) -p $(clientSecret) --tenant $(tenantId)'

In this snippet, the Azure CLI task securely references the service connection by its name through the azureSubscription field. This ensures that your login details remain secure and can be updated centrally without modifying the pipeline logic.

Below is a more complex YAML example deploying an Azure Resource Manager template using an ARM service connection:

trigger:
  branches:
    include:
      - main
pool:
  vmImage: 'ubuntu-latest'
steps:
  - task: AzureResourceManagerTemplateDeployment@3
    inputs:
      azureSubscription: 'ARM-Service-Connection'
      resourceGroupName: 'myResourceGroup'
      location: 'West US'
      templateLocation: 'Linked artifact'
      csmFile: 'templates/template.json'
      csmParametersFile: 'templates/parameters.json'

This example clearly specifies the service connection, the resource group, and the associated template files, ensuring a secure and efficient deployment of Azure resources.

Best Practices for Managing Service Connections

Effectively managing service connections requires balancing security, efficiency, and scalability. Consider the following best practices:

Best Practice	Description
Audit Regularly	Periodically review and remove any obsolete connections.
Apply Least Privilege	Configure each connection with only the permissions necessary for its tasks.
Rotate Credentials	Regularly update credentials to diminish the risk associated with long-term exposure.
Document Thoroughly	Maintain detailed documentation for each connection to facilitate management and security audits.

Security Warning

Always ensure that credentials and keys are stored securely and follow the principle of least privilege to minimize risks.

The image outlines best practices for managing service connections, including regular audits, least privilege principle, documentation, and rotation of credentials. It features a central icon with a thumbs-up and checkmark surrounded by a colorful circular design.

By following these best practices, you can create robust Azure Pipelines that streamline deployments while maintaining a secure environment.

Additional Resources

Leveraging service connections effectively not only secures your deployment pipelines but also simplifies the management of external resources, paving the way for efficient and scalable DevOps operations.

Watch Video

Watch video content